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FOREWORD 


This report is submitted in accordance with the requirements of 
Contract NAS8-27567. Martin Marietta Corporation subnuts this 
report in three volumes as follows: 

Volume I--System Functional Activities (NASA CR-61380) 

Volume II--Technical Parameters (NASA CR-61381) 

Volume III--Operational Availability (NASA CR-61382) 





v.-* 




CONTENTS 

Page 

I. INTRODUCTION 1 

A. Approach and Definition 2 

B. Analytic Development of Availability Parameters 3 

C. Detail Breakdown of Availability 5 

D. Availability Specification 10 

II. SCOPE 18 

III. ANALYTICAL DESCRIPTION OF OPERATIONAL AVAILABILITY . . . . 22 

IV. ILLUSTRATIVE EXAMPLES OF OPERATIONAL AVAILABILITY . . . . 26 

Appendix A - Considerations for Systems Performance Effectiveness 37 

Models 

Appendix B - Analytic Derivation of the Availability Function 54 

appendix C - Reliability and Maintainability Tradeoff Approach 76 

Appendix D • Some Probability Background - Joint Probabilities 83 

Appendix E • Launch On Time Analyses * 92 

Appendix F - Monte Carlo Simulation Model 115 

Bibliography 119 




ill 



SUMMARY 


Volume III is a detailed description and explanation of the 
operational availability parameter. The fundamental mathematical 
basis for operational availability is developed, and its relation- 
ship to a system's overall performance effectiveness is illustrated 
within the context of identifying specific availability require- 
ments. Thus, in attempting to provide a general methodology for 
treating both hypothetical and existing availability requirements, 
the concept of an '‘availability state", in conjunction with the 
more conventional probability-time capability, is investigated. 

In this respect, emphasis is focused upon a balanced analytical 
and pragramatic treatment of operational availability within the 
system design process. For example, several applications of 
operational availability to typical aerospace systems are presented, 
encompassing the techniques of Monte Carlo Simulation, System 
Performance Availability Trade-Off Studies, Analytical Modeling of 
specific scenarios, as well as the determination of I aunch-on-Time 
probabilities. Finally, an extensive bibliography is provided to 
indicate further levels of depth and detail of the operational 
availability parameter. 



INTRODUCTION 


Operational availability is a measure of the extent to which a 
system can be expected to be in a state or condition to perform 
its assigned function within an established time frame and 
under given environmental conditions. As such, a system 1 s 
operational availability includes both a detailed description of 
the performance characteristics of individual system elements, as 
well as the specification of the overall system states. In this 
respect, the resultant complexity of large aerospace systems 
involves a broad set of requirements that express the multitude of 
mission objectives. This complexity brings with it the need for 
a quantitative means to measure the total effectiveness of a system, 
particularly where alternative approaches are to be considered. 

One fundamental approach to the measurement of total systems 
effectiveness (SE) is to formulate its effectiveness in terms 
of a figure of merit, such asr 

SE (A) * P (C), 

where , 

P (A) * probability that the system will be operational during 

a specified time interval, or at a particular instant of time; 

P (C) * probability of achieving the mission objectives, given 

the system is available and dependable. 

The development of analytic models for total SE evaluation is 
treated in detail in Appendix A. The basic characteristics of an 
effectiveness model, along with the equations for specifying 
significant effectiveness functions are also given. The real 
value of the resultant SE index lies in the definition/design of 
systems where choices between alternatives are made, and the 
primary objective is to select that particular candidate having 
the greatest overall benefit. In such cases, indices of 
effectiveness aid the decision maker in terms of augmenting his 
experience and skill with a quantifiable measure of overall 
systems performance. 



APPROACH AND DEFINITION 


In this study, the specification and definition of operational 
availability is approached from two distinct points of view: 

1) The contribution of operational availability to the deter- 
mination of a total SE index or figure of merit within the 
overall systems context; 

2 ) The quantification of the availability parameter in terms 
of specific performance characteristics, such as instant- 
aneous availability, interval availability, steady-state 
availability, or a time-dependent probability. 

Thus, in the real world, the availability parameter addresses 
the time usage of a system and deals with problems of failure of 
system elements (people, equipment, facilities, etc), as well 
as with the areas of support requirements needed to correct and 
prevent failures. As such, the measure of availability is a 
determination of the degree to which a system can be expected 
to perform some particular function. It is a probabilistic-time 
capability of the system. The origin of these requirements lie 
in the prior mission analyses that are usually performed to 
quantify the overall objectives and that will ultimately drive 
the definition of a particular availability index. In the early 
concept phase, some of these factors are: 

1) What is needed to satisfy the objectives? 

2) What is achievable with the resources available? 

3) What are the acceptable risks of success and failure? 

The mission analyses in the concept phase examine these factors 
in detail for the major performance objectives and formulate 
specifications (initial) that will subsequently be used to select 
the "design to 11 availability parameters for the concept that best 
meets these total mission requirements. The degree of sophistication 
and complexity of such analyses can vary from very complex simulations 
of the mission scenarios to a cursory examination of only the 
principal factors. Much depends on the criticality of the particular 
problem being considered. 

The scope of such studies depends on how much is known about the 
mission and types of systems that can accomplish it. It is obvious, 
for example, that a contemplated mission never before attempted, 
requiring systems never before produced, will be much more uncertain 
(in terms of a probability measure) than a modification to an 
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existing system for a previously performed mission. The former 
case is of greater significance, because iu poses the problem of 
establishing availability requirements for new and untried systems. 

In attempting to provide a general methodology for treating 
both hypothetical and existing availability requirements, the con- . 
cept of an "availability state" is introduced. This formulation 
of availability is entirely consistent with the probability- time 
capability previously discussed and further includes the dimension 
of states. The definition previously given for operational 
availability, i.e., a measure of the extent a system can be 
expected to be in a state or condition to perform its assigned 
function, is general; however, it does imply that a probability, 
a state, and a time capability make up the quantification of this 
parameter. Availability requirements can, therefore, be expressed 
in several ways--determined by the system and the specific manner 
in which it is used. The availability requirement may be expressed 
as: 

1) A specific schedule time; 

2) A time period or interval; 

3) A random time within a time period ; 

4) A set of time frames, i.e., states; 

5) An instantaneous time; 

6) A steady-state condition; 

7) A probability-time-stafe use; 

8) Combinations of the above. 

ANALYTIC DEVELOPMENT OF AVAILABILITY PARAMETERS 

A complex systems usage may include one or more of these require- 
ments distributed among several elements of the system and applying 
to various usage states (launch, payload delivery, orbit operation, 
recovery, etc). The probabilities associated with each state require- 
ment represent the degree of assurance or probability of success 
desired. Thus, operational availability may be expressed as a 
probability of time requirement for any system state. The relation- 
ships are Illustrated in Fig. 1, and bring together the concepts 
of probability-time-soate to quantify the availability parameters. 
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State X 


State Y 


Fig. 1 Availability States 


In Fig, 1, A is the availability requirement, subscripts 1, 2, 

3... indicate system elements, and superscripts a, b, c... indicate 
specific availability requirements for the system elements. Thus, 
the total operational availability for all states and all system 
elements may be written symbolically from Fig. 1 as: 



where t denotes the time dependency for each particular state. 


One may, for the purpose of this illustrative example, consider 
X as the launch state, and Y as the orbit mission state. The 
elements of X are the launch vehicle, support equipment, launch 
site facilities, etc, while the elements of Y are the payload, 
experiment package, telemetry, data link, etc. Then, some typical 
availability specifications for these elements would be: 

1) Launch on time probability (launch state); 

2) Probability of payload availability (orbit state). 


For each system element, its operational availability would be 
expressed symbolically as: 


A 2 “^ A 2 * A ?. 

A 3 "£ A 3 * A 3 


System element level operational availability 


For each system state, the operational availability is: 


A Launch a ^T^A* A^ * 
State 

A Orbit « * A® ‘ A* 

State J 


System state level operational 
availability 




The total system availability is given by: 

^System ^l^unch A Orbit 

State State 

where the availability of the orbit state is conditional on the 
launch state availabilities. 

These symbolic equations illustrate the technique of dealing both 
with the system element and system state, level of availabilities. 

DETAIL BREAKDOWN OF AVAILABILITY 

For each specific element and subelement, the measure of operational 
availability may be broken down still further as follows: 

1) Instantaneous availability • The probability that the element 
will be available at any random time t; 

2) Interval availability - The proportion of time in an interval 
that the element is available for use; 

3) Steady-state availability - The proportion of time that the 
element is available for use when the time interval considered 
is very large. 

In the limit, these three measures of availability approach the 
steady-state availability. Which measure is most applicable 
depends on the element state and its conditions of use. For 
elements or subelements that are to be operated in continuous 
systems, e.g. , a detection radar system, steady-state availability 
may be the satisfactory measure. For elements whose usage is 
defined by a duty cycle, e.g., a tracking radar system that is 
called on only after an object has been detected and is expected 
to track continuously during a given time period, Interval 
availability may be the most satisfactory measure. Finally, 
for elements that are required to perform a function at any random 
time, e.g., a data processing system as part of a telemetry system 
that is to be employed to process orbital data and then remain 
idle for a length of time, Instantaneous availability may be the 
most satisfactory measure. In general, the duty cycle of each 
element would determine the form of availability most appropriate 
as the measure of performance. 
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I he expression for instantaneous availability can be determined 
by describing the failure and repair process in a system of linear 
differential and/or difference equations as with reliability, 
wiih the exception that one allows foi repairs out of the failed 
state of the system. These equations would describe the transition 
from one operability state to another. The solution of the 
difierential equations is the probability that the system is 
available at any random time t. 

Instantaneous Availab 1 ity 


For a single equipment (single' element), the measure of 
instantaneous availability is given by: 

A ( t) “ / H \ + ( -:Xp - ( ^ + A ) t | , 

where 


* equipment repair rate; 
X- equipment failure rate; 
t * a random time. 


This result and the two- and three-equipment parallel and standby 
redundant system instantaneous availability equations are shown in 
Table 1. Both parallel and standby redundancy and single and 
multiple repair capability formulas are given for comparative 
purposes. 

Interval Availability 


The proportion of time that the element is available in an interval 
t.. to t^ can be computed by taking the average value of instantaneous 
availability over the time of usage. 


A (t) 
m 


l/(t. 




/: 


2 A(t)dt , 


where 


• start of mission time (usually * 0 ) ; 
t£ * end of mission time. 


S 



Table 1 Aval lability of Some Redundant Systems Based on Exponential Failure and Repair Distributions 



«(K*i 



























3 . Steady-State Availability 

The proportion of time that the element is available in an interval 
(0, t) as t becomes very large can be arrived at by taking the limit, 
as t — oo of the above equation. 

a 8s (0#) * i j [ c «'>« J • 

Note that integrating the right-hand terms of the instantaneous 
availability equations of Table 1 over the interval (0, oo) 
results in a solution leaving the first term on the right side of 
these equations. Thus, for example, the limiting expression for a 
single element (single equipment) system is: 

A„ <oo) * M / ( H + X). 

ss 

For most elements, the measure of steady-state availability is 
satisfactory. Note also that because the steady-state value is 
always less than the values of instantaneous and interval 
availability, the use of the former measure allows for conservation. 

If one assumes that repairs cannot be made until complete element 
failure, the expression for a single element steady-state availability 
can be approximated by: 

A - MTTF 
SS MTTF + MRT * 


where 


MRT ■ mean repair time M 1/ fi ; 

MTTF is given by 1/X • 

This rather familiar expression may be further expanded to 
illustrate in greater detail the pragmatic subelement considera- 
tions. For example, the above formula may be reduced to: 

A . Total Uj-Tiwe for a Period , 

ss Total Up-Time + Total Downtime this Period 

. Mean Un-Time for a Period , 

Mean Up-Time + Mean Downtime for this period 

The above can be written: 

a .. • mm • mm . 

MTBM + HOT MTBM + O CT - * Hpt ) 
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where 


MTBM ~ mean time between maintenance actir s involving 
both corrective and preventive maintenance; 

MDT * mean downtime; 


(Met + Kot) * mean of the time for the aggregate of 
cor’ ecti 'e and preventive maintenance 
actions ; 

Met * corrective maintenance downtime caused by failures 
and other causes such as accidents, human- induced 
maintenance, etc; 

Mpt * preventive maintenance that is scheduled (usually 
includes daily, weekly, and monthly actions), 
which may include replacement of scheduled wear out 
parts, recycling, etc., depending on customer 
project rules. 

Note : Operational administrate e delay cf maintenance is not 

consideied. 

The above expression can be reduced to: 

a - k;bf 

“ «bfTT TTt 

where 


Hpt does not cause system downtime. This is the cas^ 
when Mpt Is eliminated or its need is restricted 
by design to off-duty periods such as during net oi 
excused periods such as recycling or depot overhaul. 

Met considerad is limited to maintenance correct:... of 
random hardware failures snd does not Include 
accident*, human induced failures, etc. 


Met ■ ^ # ^* 3r Suprly ^ ^Maintenance Administrative^, 

where 
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Me t 

Inherent - the mea. of the controlled degree of 
ma* "ainability designed into hardware. It is the 
responsibility of maintenance to define "bv 
participation in system analysis and trade studies) , 
specify, predict, review, assist designers, 
determine design corrections, and evaluate results 
in hardware for maintenance time and design character- 
istics that will enable economical maintenance on time 
to achieve A assuming that the facilities, environ- 
ment, manpower, skills, procedures, tools, test equip- 
ment, spares, and supplies, obligated by the maintenance 
concept are used. 


De lay 

^Supply ~ the mean of the lost time while a 
maintenance task is suspended awaiting spares or 
supplies. It starts on official supply demand by 
maintenance at the designated supply point. Such 
delay is a function of stock identification, planned 
stock layout, purchase and delivery, and receipt/ 
storage/issue by launch sites. It is aggravated 
when sites do not follow the planned system. 


De lay 

J Maint Admin = mean of the lost time while a mainten- 
ance task is delayed awaiting the arrival of skills, tools, 
test equipment, and time out for personnel and official 
reasons. This can be aggravated when launch sites do 
not follow the plans identified for facilities, mainten- 
ance, environment, manpower, skills, procedures, tools, 
and test equipment. 

D. AVAILABILITY SPECIFICATION 

The detailed illustrative samples presented in the p -eceding 
sections furnish a general framework within which the specifi- 
cation of availability parameters may be carried out. In 
particular, these methods include modeling of the mission to 
provide the means for examining the given scenarios and con- 
tingencies for each mission state and apportioning the system 
availability parameters to the major elements and subelements. 

The techniques and procedures in this initial phase of activity 
are systems analyses, in wh ,h modeling and simulations based on 
estimates, similarities to previous systems, etc are developed. 

The def inition/design phase proceeds with specific requirements 
for operational availability allocated to these major modules. 

The task faced in the definition/design phase is to establish 
system availability specifications. 
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Illustrative Example of Availability Specification 


The above methods are illustrated in the following example, which 
specifies the availability requirements as they relate to an 
extended mission of a manned orbital vehicle. In particular, the 
analysis deals with the maintainability tradeoffs in terms of 
maximizing the total systems effectiveness and minimizing such 
cost factors as maintenance times and the weight and volume of 
spares. The methodology makes use of a computer simulation to 
determine: 

1) Whether to use redundant parts, carry spare modules for easy 
replacement, make repairs in flight, or how best to combine 
these approaches; 

2) Whether to use built-in automatic failure location devices 
or auxiliary test gear; 

3) What the effect is of replacement times and the required 
weight and volume of spare modules on the equipment 
availability; 

4) The applications for which commonality of parts can be used 

effectively; * 

5) The techniques that can be used to improve the maintainability 
per unit weight, volume, or other associated cost factors. 

Almost every aspect of reliability/availability/maintainability 
design is a matte of compromise. If every conceivable require- 
ment in the way of spare parts, tools, test equipment, and 
trained repairmen is foreseen and provided, the space vehicle 
would become a combination warehouse and factory and never get 
off the ground. Because of the long mission times and the large 
number of system parts involved, it is practically impossible to 
achieve acceptable dependability/availability through reliability 
alone, but it would be equally impossible to maintain an unreliable 
system. Furthermore, these factors r*ust be considered from the 
standpoint of the value of the mission because, if dependability/ 
availability were the primary mission goal, man would stay on the 
ground. The following discussion does not include all factors, 
but does indicate the scope of the problem. 

Initially, there are the tradeoffs between reliability, 
maintainability and availability. The increase of reliability 
through the use of more reliable components, of parallel and 
standby redundancy, of higher standards of quality control, of more 
exacting requirements for assembly and checkout, etc, is limited 
by the law of diminishing returns, and, in the case of manned 
space mission with extended lifetimes, the value of maintainability 
is easily seen. 



Next, there are the tradeoffs associated with ’’indenture" level 
or the size or amount of circuitry or equipment included in each 
replacement module. The lower the indenture level, the smaller 
the replacement modules and the less replacement of properly 
operating equipment; but locating the failure, gaining access to 
the failed part, and replacing it would be expected to take 
longer. The penalty, in terms of failure effect on the mission 
objectives, would depend on the importance of the objectives 
involved, the criticalness of their scheduling, etc. Also, the 
optimum indenture level would depend on whether the replaced 
modules are to be serviced. Using a higher indenture level has 
the advantages of shorter failure location and module replace- 
ment times, and, if the replaced module can be repaired, this 
would greatly reduce the required number of spares. There would, 
however, be a costly penalty associated with the test and repair 
equipment needed and providing a trained repairman for the crew. 

Further tradeoffs are associated with the completeness of the 
failure location and test equipment, and the required crew training. 

Presumably, failure location equipment provided could be so 
complete that the module containing the failed part is indicated 
automatically without any further checking. However, this would 
involve a rather extensive system that would, itself, be subject 
to failure. For each type of mission and vehicle, there is some 
optimum level of completeness of the failure location equipment 
and the associated training of the crew members, etc. 

To obtain the optimum compromise in these and other aspects, it 
is necessary to compare costs and the accomplishment of various 
mission objectives. This suggests the use of the concept of 
system cost effectiveness. Cost effectiveness is defined as the 
per unit cost of value received and system effectiveness as the 
probability of achieving mission objectives. If some commensurable 
value can be assigned to each mission objective, then it is more 
useful to define system effectiveness as the expected mission 
accomplishment in these value units and system cost effectiveness 
as the per unit cost of this expected accomplishment. This pro- 
vides a single quantity for comparison and reduces the reliability, 
maintainability and availability, design problem to finding the 
approach that yields the maximum system cost effectiveness. 
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The approach is to use a computer program to simulate the 
performance of a set of mission objectives along with a history 
of the failure and maintenance actions performed on the various 
system elements based on failure and repair or module replace- 
ment times chosen randomly from specified probability 
distributions. The purpose of the simulation program, however, 
is not to show what can happen in one particular case, but to 
indicate the distribution of events along with their probabilities. 

2 . Application to a Sample Program 

To gain a better understanding of some of the relations involved, 
che simulation program was used to study indenture level tradeoffs 
in a typical attitude control computer as it might be incorporated 
in the attitude control system of a manned orbital space station. 

This piece of equipment was selected because it is typical of 
spaceborne equipment and because reasonable estimates can be made 
of the various pertinent parameters such as the mean time to 
failure and the fault location and repair times. A mission time 
of 1000 hr was selected, during which time a set of idealized 
experiments were assigned a representative range of performance 
times, critical times, availability coefficients, etc. The 
importance of each branch to each mission is given in terms cf 
a set of a priori objective coefficients. 

Five representative mission objectives were selected. The aim was 
to have mission objectives with a range of performance times, 
allowed failure effects, critical downtimes, and availability 
coefficients. To prevent complication of the results, the avail- 
ability coefficients were purposely kept low but were varied 
to have a basis for determining the effects and possible flexibility 
of this variation. The first objective has an objective performance 
time as long as the total mission. The equipment must operate for 
the entire time to have no failure effect (the allowed failure 
effect is zero), and a downtime longer than 1/2 hr would result in 
the failure of this objective (the critical downtime is 0.5). The 
second objective also has a performance time as long as the mission, 
but can be achieved in one-tenth of this time (the allowed failure 
effect is 0.9 of the performance time without taking away from the 
success of this objective). The critical downtime is also as long 
as the mission, which moans that any operation of the equipment 
during the objective performance time will result in at least 
partial success in meeting the objective. The remaining objectives 
have performance times of 100, 10, and 1 hr, respectively, and a 
variety of allowed failure effects and critical downtimes to 
evaluate the effects of these quantities on the mission achievement. 

In this study, the mission achievement was either 1.000 or 0.999 
for every run, and no further analysis of the failure effect was made. 
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Four different indenture levels or module arrangements (where 
modules are the parts to be replaced) were investigated with the 
attitude control system. It was assumed that each module was 
positioned with holddown screws and connected into the remainder 
of the system with connectors. The four indenture levels are: 

1) Single-circuit modules (total, 35 modules); 

2) Dual-circuit modules (total, 19 modules) ; 

3) Multicurcuit modules (total, 4 modules) ; 

4) Compl° e system module (total, 1 module). 

Twenty- five runs were made for each indenture level where a run 
is the simulation of a complete mission. Each run has a different 
sequence of random numbers so it represents a different possible 
mission history. 

The mean time between failures (MTBF) for each circuit in the 
attitude control system was computed by summing the mean failure 
rates for each component. The mean times for maintenance operations 
were estimated for each indenture level on the basis of the module 
size and composition. 

The computer simulation results for a typical indenture level is 
shown in Table 2. Listed for each run are the weight and volume of 
spares required, the combined weight of computer and spare modules, 
and the systejn cost effectiveness (computed using a weight cost 
factor of 10 to put the values in a convenient range, a volume 
cost factor of 0, and based on the combined weight of computer 
systems and spares). These runs are arranged in order of decreasing 
cost effectiveness. 

The contribution of each run to the system cost effectiveness is 
given by the last column in Table 2. From these results, it is 
evident that, for this case, the optimum indenture level depends 
on the confidence required in meeting the mission objectives 
(although the relation between percentage of runs and the 
confidence of achieving a given systems cost effectiveness is 
not discussed here). 
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Table 2 Computer Simulation Run Results for Indenture Level A 


1 

Run 

Mission 

Achievement 

Spares 
Weight g 

Spares 

Volume in. 3 

Combined 
Weight, g 

SCE 

24 

0.999 

90.10 

3.02 

3394.00 

2.943 

21 

0.999 

270.20 

9.04 

3574.10 

2.795 

11 

0.999 

368.30 

13.06 

3672.20 

2.720 

4 

1.000 

458.40 

15.08 

3762.30 

2.653 

5 

0.999 

458.40 

15.08 

3762.30 

2.655 

18 

0.999 

458.40 

15.08 

3762.30 

2.655 

2 

0.999 

548.50 

18.09 

3852.40 

2.593 

1 

0.999 

639.40 

21.10 

3943.30 

2.533 

6 

0.999 

639.40 

21.10 

3943.30 

2.533 

8 

0.999 

639.40 

21.10 

3943.30 

2.533 

16 

0.999 

639.40 

21.10 

3943.30 

2.533 

20 

0.999 

639.40 

21.10 

3943.30 

2.533 

7 

0.999 

729.50 

24.12 

4033.40 

2.477 

23 

0.999 

729.50 

24.12 

4033.40 

2.477 

14 

0.999 

909.70 

30.15 

4213.60 

2.371 

15 

0.999 

909.70 

30.15 

4213.60 

2.371 

3 

0.999 | 

1007 80 . 

33.16 

4311.70 

2.317 

12 

0.999 

100' . 80 

33.16 

4311.70 

2.317 

17 

0.999 

1007.80 

33.16 

4311.70 

2.317 

19 

0.999 

1C 37.80 

33.16 

4311.70 

2.317 

10 

0.999 

1131.70 

39.20 

4435.60 

2.252 

13 

0.999 

1131.70 

39.20 

4435 . 60 

2.252 

25 

0.999 

1131.70 

39.20 

4435.60 

2.252 

22 

0.999 

1861.10 

63.32 

5165.00 

1.934 

9 

0.999 

2984.80 

102.51 

6288.70 

1.588 
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The tradeoff between indenture level and downtime is not apparent 
because the allowed failure effects, critical downtimes, and the 
objective coefficients assigned to the various mission objectives 
were such that the mission achievement was equally high for all 
indenture levels. For more critical mission objectives, this would 
not be the case, and the additional time required to locate the 
failures and replace the failed modules at the lower indenture level 
would result in a significant decrease in the mission achievement; 
this would have to be weighed against the advantage of the small 
weight of spares. 

Another factor contributing to the lower weight and volume of spares 
required for the lowest indenture level (A) is the high commonality. 
The 35 modules are of five types, which reduces the sparer require- 
ment considerably. For higher indenture levels, the ratio of the 
number of modules to the number of types is shown as follows: 

1) Indenture Level A, 35 modules, 

5 types, commonality ratio - 7.0; 

2) Indenture Level B, 19 modules, 

5 types, commonality ratio =3.8; 

3) Indenture Level C, 4 modules, 

2 types, commonality ratio = 1.0; 

4) Indenture Level D, 1 module, 

1 type, comnonality ratio * 1.0. 

In the attitude control computer selected, this commonality occurs 
because many of the elements and branches perform similar tasks. 

In many other systems, the different elements would perform 
distinctive tasks, and commonality could be increased only at t». 
expense of the efficiency or performance of the system. 

Conclusion 

The problem of determining the expected range of failure/ 
maintenance/availability histories, spare parts and maintenance 
equipment requirements, and the resulting effects on the system 
cost effectiveness for manned space vehicles with extended mission 
times is ideally suited to the simulation approach, However, 
developing a simulation program is only part of the problem; 
an effective study of the maintainability design problem must 
also include an effort to determine the significant factors and 
how to incorporate these factors in the program to improve the 
program as a design tool to specify given requirements for 
maintainability, reliability, and availability. 
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In the following chapters, the analytical basis for the 
formulation of operational availability and examples of practical 
problems are discussed. Although the treatment of this subject 
is specifically aimed at the definition/design phase, the 
theoretical considerations and parameters are also present in the 
concept analyses areas. 
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LI. SCOPE AN!) CRITERIA 



The problem oi specifying operational availability requirements, 
either at the system state, or at the system element level Is a 
corplex of analytical and design actions that involve a wide 
range of design variables and disciplines. As in the design of 
'ranch vehicle system to achieve a given performance capability, 
the design for operational availability is a series of iterative 
actions in which sizing of system elements permits comparing 
what 3* ibta ; uable versus what is needed. At each stage of design, 
choices exist between both design alternatives and the system 
performance parameters involved in meeting the mission require- 
ments. The decision criteria must, therefore, be provided at each 
design m.i : "t tty , and these criteria must be consistent with each 
level ol detail. The respective design interaction, and the 
correlations existing among some of the availability parameters, 
provide both a rationale ard a baseline for refining the design 
solution , 

The subsequent, implementation of a design protocol for the 
determination of system operational availability involves the 
delineation of those functional areas and associated analytical 
techniques that permit quantification of the availability 
par -met. rs. However, withi.n each given functional area, detailed 
ara.iy*-. ■; are required to determine, in depth, the respective 
parametric performance characteristics and their interactions on 
related subsystems. In this respect, the discipline of systems 
analysis furnishes the necessary methodologies to assess various 
alternatives as well as conduct optimization and suboptimization 
studies . 

Design Approach - As in most design problems, sizing and optimization 
of design is an endeavor to strike a balance between several 
variables that are often conflicting. Sizing to achieve an opera- 
tional availability is no exception. In a maintainable system, the 
balance is achieved between reliability of the system and the 
maintenance provisions. This balance is usually established on 
the basis of a criterion that describes the value of the system and 
program. The value criteria in an aerospace program will usually 
include the following factors: 

1) Cost; 

2) Development risk; 

3) Weight; 
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4) Safety; 

5) Size; 

6) Schedule. 

The implementation of a balanced design w .akes the form of a 
detailed examination of the requirements to achieve the objective 
(in this case, the degree and amount of operational availability) 
as well as the postulation of alternatives that will satisfy the 
program/ system requirements. The closing on a compatible design 
configuration of operational and support elements is essentially 
a progressive process. 

Figure 2 illustrates the interaction between the respective 
system design disciplines and the basic elements comprising 
each functional area. The analytical tools required, as well 
as the parameters generated at each point in the design process, 
yield an operational policy for implementing the design 
decisions in accordance with a set of criteria. The overall 
analysis uses simulation models and hypothetical scenarios for 
estimating the system performance characteristics. Subsequent 
verification of these system concepts provides a baseline from 
which further refinements are made. This iterative process 
converges rapidly in terms of satisfying the original require- 
ments and objectives. Figure 3 is an example of some of the 
elements that enter into the maintainability/reliability design 
process. The resultant design solutions (limited by technology 
available) include an assessment of the critical or most 
sensitive design or performance parameters. The analytic 
formulation of oome typical design problems is treated in the 
following chapters. The basic areas of redundancy, wearout, 
maintenance policies, failure and repair rates, as well as 
operational factors are considered. Both analytical approxi- 
mations and simulation techniques are demonstrated as viable 
tools in the solution of large-scale system problems. 
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III. 


ANALYTICAL DESCRIPTION OF OPERATIONAL AVAILABILITY 


A full description of the availability function and the associ- 
ated operational practice of a given system that can be 
maintained requires the specification of: 

1) The equipment failure and repair processes; 

2) The system configuration; 

3) The repair and maintenance policy; 

4) The state in which the system is to be defined as failed. 

Within the past few years, much attention has been paid to an 
analytical technique known as Markov Processes. Mathematical 
models based on Markov Processes have found wide applicability 
in the fit^ds of biology, engineering, physics, and the social 
sciences. In general, this technique uses the essential concept 
that the probability of obtaining a particular outcome on any 
trial (given a sequence of independent trials) depends only on 
the outcome of the directly proceding trial. This implies 
a knowledge of the conditional probability associated with every 
pair of outcomes. In addition, the space of all possible 
admissible states and how transitions are made over a sequence of 
trials must be adequately defined. Thus, for example, one may 
define the states of a piece of equipment as operating or failed, 
and then consider how transitions are made back and forth from 
each of the possible states. It is essentially this formulation 
that is applicable to the analytical description of availability. 
Furthermore, if the conditional transition probability is con- 
stant, the resultant Markov Process is stationary. In the 
discussion that follows, the development of an analytical model 
using the Markov Process is developed under these conditions. 

To employ a Markov representation, it is assumed that the 
individual equipment fails in accordance with the negative 
exponential distribution, and the. times- to-repair are also 
exponentially distributed. 

If an item of equipment is designed so that those items that are 
expected to fail frequently have a relatively short repair time 
compared with those items that fail Infrequently, an exponential 
distribution of repair times is observed* On the tth^r hand, if 
every part in an item of equipment has the same failure rate, 
and each takes equally as long to repair, a rectangular or 
uniform distribution of repair times results. The induced 
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distribution of equipment repair times can be more easilv con- 
trolled by the designer than can the distribution cf tiroes to 
failure. For example, if a few parts contribute the greatest 
percentage of equipment failures, the system designer can make 
sure that they are easily accessible for rapid replacement. 

It is assumed that the equipment failure cumulative dis tribufion „ t 
is described by a negative exponential distribution, F(t) ■ l-e ** 
so that the conditional failure probability in the interval t, 
t + dt is A dt. It is also assumed that the major portion of 
failures can be repaired in a short time, while those items that 
fail infrequently take a long time to repair. Therefore, the 
equipment repair cumulative distributions are xponentially 
distributed, and given by G(t) * l-e ** . Also, the probability 
of completing a repair in the interval t, t + dt, given that it 
was not completed at time t, is ft dt. 

In this formulation for maintained systems, it is necessary to 
develop the forward and backward differential equations that 
describe how transitions are made back and forth from state to 
state. If it is assumed that when an item of equipment fails 
it is immediately detected and repair is begun, and the times- to- 
failure and times- to-repair are each independently exponentially 
distributed, the resulting Markov Process is referred to as a 
"Birth and Death Process." The Birth and Death Process describes 
a system's availability in terms of transient and steady-state 
components. For systems that are to be operating continuously 
for a long tisie, the steady-state solutions are usually sufficient. 
The basic equations for this simple formulation are developed 
in Appendix B, as well as some significant variations, such 
as partial repair, the case of n equipments with r repair men 
(r ■ n, and r < n), as well as <<. two-equipment items redundant 
system. In addition, the problem of wearout, which involves 
a non-Markovian Process, is decomposed into a sequence of 
Markovian Processes by segmenting the input distribution into 
several exponential phases. This technique is also discussed 
in detail in Appendix B. 

For system that can be maintained, there are two figures of merit 
that are usually of interest. The extent to which a system can 
be expected to be in a state or condition to perform its assigned 
function within an established time frame and under given environ- 
mental conditions is referred to as the system's "availability." 

This approach has been treated in detail in the previous chapters. 
Still another figure of merit that is relevant to maintained systems 
is the "Mean Recurrence Time." This is the length of time to 
return to an acceptable state from a failed state. Sometimes th.s 
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figure of merit is called Mean Single Downtime. The importance 
of the Mean Recurrence Time is obvious, because availability is 
concerned with the total time the system spends in acceptable 
states and does not indicate how this time is distributed. 

For example, In a 10,000-hr period, the system may fail once ^nd 
be down for a 10-hr duration, yielding an availability of 0.999. 

On the other hand, the system may fail 10 times in the same period 
and be down for 1 hr each time, also yielding an availability of 
0.999. 


Durations of single downtimes can also be related to a penalty 
cost that must be paid for each consecutive unit time the system 
is unavailable. An air traffic control system that establishes 
flight plans and directs the landing and takeoff of aircraft is 
an example. Long durations of single downtimes may mean queuing 
at takeoff, thereby delaying schedules, lost flights, and so on. 

In this sense, it would be preferable to have a higher system 
failure rate with shorter durations of single downtime incidences 
than a low system failure rate with long durations of single down- 
time incidences. 

During the preliminary design phases, consideration is usually 
given to the expected repair time of all items in the system 
and which failures would require the system to be down. A good 
example is the case of bearing supports in a radar pedestal. 

Although the failure rate of bearings may be relatively low, it 
may take several hours to replace one, and the radar set would 
have to be "off the air." Therefore, although the steady-state 
availability may not be significantly affected, the eventuality 
of a bearing failure may cause serious consequences- -the radar 
would be unavailable for several hours. At the preliminary 
design phase, this effect must be considered and alternative 
approaches that would reduce the duration of single downtime 
without significantly increasing system cost evaluated. One 
approach is to use high-level redundancy and duplex the radar 
pedestal. However, this alternative is costly. Another approach 
is a lower level of redundancy where only the bearing gear 
supports are duplexed to permit repair of a single bearing 
failure without affecting e/stem downtime. 



It may be well at this point to distinguish between the concept 
of statistical expectation and the steady-state, or state of 
statistical equilibrium. The expected value is simply the average 
value of the availability function over all possible values of the 
variable. If we had a large number of equipment items that had been 
operating for some time, then at any particular time we would 
expect the number of equipment items that are in state 0 (available) 
to be NP . Thus, the ratio of the number of equipment items 
available to the total number of equipment items is simply NP q /N = P q . 

When we are concerned with steady-state solutions, we are 
postulating the existence of limits, i.e., the steady-state 
distribution will maintain itself ideally in an infinitely large 
ensemble. The Markovian formulation does not consider fluctuations 
in the individual items of equipment. For example, if a particular 
equipment item fails on the average every 100 hr of operation and 
takes 1 hr to repair, its steady-state availability is F q = 100/101. 

However, the range of the time of equipment failure is (0,oo). 

Thus, the steady-state availability 100/101 says nothing about the 
fluctuations of an individual equipment item's availabilities. 

It tells us that, in an infinitely large ensemble of equipment 
items, for each item that never falls, there is one that fails 
the instant it is "put-on." For a single-equipment item system 
(including some significant variations) it is not too difficult 
to develop the availability distribution and its moments. How- 
ever, for complex configurations the analytic effort is intractable 
and Monte Carlo simulation techniques usually have to be employed. 

In this respect, it is essential to conduct a statistical analysis 
of the simulation results to ootain confidence limits and assess 
the effects of sampling. The question of how many samples to run 
is usually a compromise between computer costs involved and the 
accuracy of the results desired. 


25 



IV. 


ILLUSTRATIVE EXAMPLES OF OPERATIONAL AVAILABILITY 


A. MINIMUM COST CRITERIA FOR A GIVEN AVAILABILITY 


When operational availability is used to address a problem of 
meeting a time constraint, i.e., a specific schedule time, the 
analysis is concerned with the selection of operational modes 
in terms of time, spares, and expected failure rates. When 
availability is defined mean the probability that the system 
will be in an acceptable condition in any given state, the 
analysis is concerned with either a particular solution 
(evaluation of initial conditions) or long-term (steady-state) 
solution of the basic availability equation. In th ca:,e, 
the sizing of MTBF mcl MTTF serve as goals or allocations from 
which system concept and definition design can be performed. 

One example of the latter case is d scribed in Appendix C. In 
this cesign problem, the s ceady-state , "ong-term availability 
of a system in a given mission state is of prime concern. Inis 
example describes a particular problem in which the given 
availability and minimum cost are the criteria for selection. 

In addition to the specification of the factors that contribute 
to MTBF and MTTF, this example problem al$ ) shows that the 
sensitivity of figures of merit require testing co verify that the 
indicated results are valid. In this case, a simple *oint 
probability computation verifies the selection. 

The analytical development of this technique for a uniform 
distribution is given in Appendix D. The results are quite 
straightf orward, and the derivation may be applied to various 
other overlapping probability densities. 


B. PROBABILITY 01 LAUNCH ON TIME 

The launch-on- t'me concept of availability can be addressed in a 
manner similar to the example given in Appendix C. The decision 
as to how to achieve a given level of probability of readiness 
is concerned with apportioning between MIBF and MTTF and then 
allocating these values to the technical parameters of the system. 
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There is, however, yet another approach to solving this same 
generic type of problem. This is Illustrated in Appendix E. 

This example is an operational analysis aimed at selecting 
mission state duration, as well as the generation of a concept 
to meet a gi/en probability of two successful launches. In this 
case, the MTBF of the system is assumed fixed. This is a 
reasonable condition because the vehicle design leads the ground 
system design in the development process. This analysis has as 
its objective to establish the launch operations strategy and the 
reliability and logistics requirements that yield an acceptable 
operational a inability. The exact nature of this analysis 
is described below: 

It is assumed that the system concept is made up of a launch 
vehicle and a mission payload module. The problem is then to 
launch two payloads within a specified launch period. The 
operational analysis provides a solution to establish the launch 
operations strategy and the reliability and support requirements 
that best meat the availability objectives. The variables in 
this analysis are: 

1) The probability of holds during operations on the launch pad 
due tc, 

a) Launch vehicle malfunction.;, 

b) Spacecraft malfunctions, 

c) .ill other causes; 

2) Recycle of the launch vehicle in '.he event of a malfunction 
on the launch pad; 

3) Racycle of the spacecraft in the event of a malfunction on 
the launch pad; 

4) Spares provisioning and replacement time for, 

a) Launch vehicle, 

b) Spacecraft; 

5) The duration of the launch period; 

6) Turnaround time between launch attempts. 
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Dealing at this level of design, major system decisions are made 
such as: 

1) What is the optimum time for launch operations as a 
function of reliability of the major system elements? 

2) What are the system element spares that yield the greatest 
probability of mission success? 

To illustrate this operational analysis, a hypothetical case is 
developed in which it is desired to perform two launches of a 
vehicle and its payload. In this example, the analyses resulted 
in: 

1) Estimates of reliability for the system elements (launch 
vehicle and payload); 

2) Recycle time for the system elements in the event of 
malfunction; 

3) Limitation on the number of malfunctions. 

Furthermore, previously determined mission analysis studies have 
selected three operational concepts for analysis: 

1) Candidate 1, 

a) 22-day launch period, 

b) 10-day turnaround (launch- to- launch) , 

c) Spare launch vehicle and payload; 

2) Candidate 2, 

a) 30-day launch period, 

b) 16-day turnaround, 

c) No launch vehicle with spare payload; 

3) Candidate 3, 

a) 30-day launch period, 

b) 10-day turnaround ( launch- to- launch) , 

c) No launch vehicle with spare load. 


Table 3 shows the initial conditions that apply to these three 
cases* 

Table 3 Conditions and Assumptions 


1* Probability of a malfunction or delay during any one launch 
attempt (can reoccur): 

Launch vehicle 0.05 

Payload 0.05 

All other causes 0.05 

2. Recycle Times (malfunction- to -launch ) : 

Payload recycle 
Launch vehicle recycle 
Replace integrated 
launch vehicle and 
payload 

Remove payload from 
launch vehicle and 
replace 

All other causes 

3. The payload is limited to a total of 2 recycles. 

4* The probability of the payload requiring recycle before 
launch pad operations “ 0.05 (can reoccur). This applies 
to both prelaunch and recycle operations. 

5. The probability of the launch vehicle sustaining a malfunction 
during recycle that would preclude launching on time = 0.05. 

6, The program requirement for probability of two launches 
within a specified time period is 0.015. 


19 days 
14 days 


5 days 


9 days 

3 days * 
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The detailed analysis of these three candidates is included in 
Appendix E. For this sample problem, the analytical approach is 
relatively simple and straightforward. It would have required more 
complex methods and techniques had the numbers of variables 
entering into the decision been larger. 

Table 4 compares the three approaches In terms of percentage ot 
launch-on- time risk. The second candidate differs from the first 
in that the launch period was longer (22 to 30 days) and the 
turnaround time was longer (10 to 16 days). These changes 
essentially counteracted each other. The significant difference 
is that a launch vehicle and payload were considered in Candidate 
1. Deletion of the spare set increased the launch vehicle risk 
from 0.30 to 3.46%, 

The third candidate differs from the second in that the turnaround 
time has been reduced from 16 to 10 days. This reduces the total 
risk from 3.98 to 0.85%, Most of the risk in No. 3 is due to the 
launch vehicle, because no spare is provided. This candidate 
compares favorably with No. 1, although it is not quite as good. 

Table 5 compares the approaches in terms of the number of 
malfunctions that can be tolerated on :ne launch pad during the 
launch period. The No. 2 approach is very restrictive; only 
one malfunction could occur in the launch vehicle and that had 
to occur in the first vehicle. The third candidate can tolerate 
more malfunctions than No. 1, depending on where they occur; 
however, there is an increased risk of a malfunction occurring 
during launch vehicle recycle. The first approach allows for 
one launch vehicle recycle, while No. 3 allows a maximum of three. 
The more recycles, the higher the risk. 

The following conclusions were drawn from this study: 

1) The launch- on- time risk for No. 3 is substantially less than 
for No. 2 and compares favorably with No. 1. This was 
achieved by reducing the turnaround time from 16 to 10 days; 

2) Candidate No. 1 meets the allocated launch-on- time risk of 
1.5%; 

3) Most of the risk is caused by zhe launch vehicle because a 
spare is not available; 

4) The launch- on- time risk c<nne r be reduced by further 
reduction of the turnaround time or extension of the launch 
period; 
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Table 4 Comparison of Launch- on-Time Risks 



Launch 

Candidate 

1 

-on-Time Ris 
Candidate 
2 

k, % 

Candidate 

_ 3 _ 

Payload 

0.32 

0.54 

0.09 

Launch Vehicle 

0.30 

5.46 

0.76 

All Other Causes 

0.05 

0.01 

- . . 

0.00 

Total Risk, % 

0.66 

5.98 

0.85 


No. 1 - 22-day launch period 
10-day turanround 
Spare launch vehicle and payload 

No. 2 - 30-day launch period 
16-day turnaround 
No spare launch vehicle 
With spare payload 

No. 3 - 30-day launch period 
10-day turnaround 
No spare launch vehicle 
With spare payload 
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Table 5 Maximum Number of Malfunctions That Can Be Tolerated 
(Two Launches) 



Malfunction 1 

Candidate 

1 

Candidate 

2 

Candidate 

O 

Payload 

2 

2* 

2 or 3 

Launch \ehicle 

2 

1 

2 or 3 

All Other Causes 

3 

4 

6 


*Both malfunctions must occur in the first 
vehicle; otherwise, we can tolerate one pay- 
load malfunction in Vehicle 1 OR one payload 
malfunction in Vehicle 2. 

Must occur in Vehicle 1. We cannot tolerate 
any launch vehicle malfunctions in Vehicle 2. 
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5) An increase in turnaround time or a decrease in the launch 
period would result in a significant increase in the launch- 
on time risk; 

6) The launch-on-time risk could be significantly reduced by 
providing a standby launch vehicle and payload. This would 
also provide flexibility to changes in turnaround tine and 
launch period. However, a spare launch vehicle and payload 
is not warranted by this analysis. A more sophisticated 
analysis would have to be conducted to determine if such 

a selection should be made; 

7) On the basis of this analysis, Candidate 1 is selected 
because it provides the most margin with respect to the 
system risk requirement. 
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MONTE CARLO AVAILABILITY SIMULATION 


The Monte Carlo method may briefly be described as the device 
of studying a real-world phenomena by means of a simulated 
mathematical process, using random sampling to structure the 
solution and establish statistical inferences. The device 
is certainly not new. Moreover, the theory of mathematical 
simt lation has been a subject of study for quite some time, 
and the novelty of the Monte Carlo method does not lie here. 

The novelty lies rather in the suggestion that where complex 
situations exist that demand numerical solutions not readily 
obtainable by standard analytical metnods, there may exist a 
mathematical simulation process with statistical distributions 
or parameters that adequately approximate the real-world 
circumstances. In these instances it may actually be more 
efficient and economical to construct such a process and compute 
the statistics, rather than attempt to use deterministic methods 
to describe the system. 

Historically, the original von Neumann-Ulam concept seems to 
have been that Monte Carlo specifically designated the use 
of random sampling procedures for treating complex deterministic 
mathematical problems not easily amenable to numerical solution. 
However, some define Monte Carlo to be the exclusive use of 
random sampling procedures to treat problems, whether of a 
deterministic or proDabilis tic sort. Others demand that the 
sampling be sophisticated (involve the use of some variance 
reducing technique) to qualify as Monte Carlo; they reserve 
the names straightforward sampling, experimental sampling, or 
model sampling for the cases where purely random saraplii g is 
used. However, the economics of computing changes so rapidly 
with the advent of faster and faster machines that Monte Carlo 
methods are being successfully applied to more and more 
sophisticated and complex problems. The situation now is that 
in common usage, Monte Carlo is synonymous with any use of 
random sampling in treatment of either deterministic or 
probabilistic problems. 

The application of the Monte Carlo simulation technique to 
operational availability is given in Appendix F. This model 
computes the system availability of a launch vehicle, which 
involves a sequence of test s, and storage of specified system 
and subsystems. Figure 4 illustrates in schematic form the 
launch vehicle storage and t ;st cycles. 





The development: ot the storage and test cycles is il lastrated in 
Appendix F , along with the simulation results. It may he con- 
cluded that: 

1) The most important factor affecting the availability of the 
launch vehicle is failure rate of parts; 

2) Availability after each storage and test cycle drops off 
continuously; 

3) Probability of detecting a failure is relatively (witnin 
normal ranges) insensitive to availability; 

4) Length of launch vehicle storage (for example, 12 months or 
36 months) will cause availability to fail off sharply. 

In running this Monte Carlo simulation, the basic data war. 
accumulated over a 36-month period, using Markov transition 
matrices for storage and test operations. Thus, the sample 
size was large, so that statistical variations were* minimized. 

The illustrative examples presented focus attention on tne 
various applications and different types ot problems or 
in determining operational availability. The analytical concepts 
developed provide a framework for structuring a broad class of 
problems, and furnish insight into the subtle mechanisms of 
obtaining real-world solutions that are useful to the engineer 
and the designer. The subsequent interpretation and integration 
of these results into a comprehensive methodological design tool 
is a continuing process, combining both the skill and analytical 
ability of the design team. Note that a total system approach 
involves a complete effectiveness ana^sis of the essential 
parameters of operational availability in terms of the performance 
characteristics of the overall system. Thus, although operational 
availability has been treated as a separate topic, its effective 
impact on related subsystems and other functional requirements 
must also be examined. The end result is to yield a design 
concept that is analytically sound, economically feasible, and 
capable of being implemented in a real-world application. 

In sumnary then, operational availability may be approached frotu 
several apparently different and divergent viewpoints. However, 
it should be observed that this basic pararaeter must be analysed 
both on a systems and individual basis to achieve an integrated 
and balanced design. 


36 



_APrcND_I_X_ A _ CONSIDERATIONS FOR SYSTEMS PER FORMATE F.flECTIVENESS 
MODELS 


ANALYTIC MODELS FOR EFFECTIVENESS EVALUATION 


Any meaningful application of the systems performance effective- 
ness concept to a particular project requires a quantitative 
methodology to evaluate the effectiveness of a proposed or actual 
system in terms of selected measures, requirements, and decision 
criteria. Until this is done, the concept of systems performance 
effectiveness for a project has little use--except perhaps as a 
rallying point for arguments about the advantages of System X 
over System Y. The need for a systems performance effectiveness 
evaluation methodology begins at the inception of the syst<m 
life cycle and continues through the succeeding design, develop- 
ment, production, test, and operational phases. Despite the 
obvious differences in the depth of the analysis applicable to 
these phases, the need for a quantitative metho .ogy applies 
throughout . 

Evaluation smthodologies for systems performv.xe effectiveness 
chsracteristics can be broadly character!? u in terms of two 
approaches- -the empirical and the analytic (Ref 1) . 

An empirical amthodology is one devoted to data correction and 
evaluation of existing systems. Thus, it is possible to evaluate 
systems performance effectiveness by means of performance obser- 
vations of systeaw in the field. While this approach is undoubt- 
edly the SK>at accurate, it ia feasible only for systems or pro- 
jects that are very far advanced in their life cycles. 

An analytic methodology, on the other hand, is o that derives 
its results by Inference, and uses a set of assumptions and pro- 
cedures as s framework to compute an effectiveness description 
of the system in question. This descriptive system frame work 
is called an analytic sodel, and the description of System X in 
these terms is called the analytic model of System X. 

Purely empirical or purely analytic mathodologies are, of course, 
not very useful. The former yields highly authoritative data 
too late to be useful, while the latter yields answers unsup- 
ported by facts. In practice, a balance is sought. This bal- 
ance will normally change during the life cycle of a system. As 
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data about the behavior of the system become more available, the 
analytic model gradually merges into am empirical model; as the 
data become more available and as confidence in their value in- 
creases, statistical sample data supplant the assumption . 

Analytic models, moreover, usually remain useful even with re ard 
to the empirical data obtained from system samples ta' en during 
acceptance tests. Also, these data often require interoretation 
simply because it is impractical to conduct tests that *e suffi- 
ciently elaborate to yield statistically significant effective- 
ness data directly. 

The need for analytic models to predict systems performance 
effectiveness thus emerges from the need to evaluate the effec- 
tiveness before the system has been in use for many years. The 
following discussion considers the analytic models--with he 
understanding that empirical methods will always be required to 
provide inputs for the anal>sis. 


CHARACTERISTICS OF AN EFFECTIVENESS MODEL ( r EF 2) 


There are certain general characteristics that any mathematical 
m,del should have to be a useful tool to predict effectiveness, 
ihese are: 

1) Independence fron design assumptions - If the concept of 
effectiveness is to be applied as a technical management 
tool, there is a demand that the effectiveness-analysis 
technique, and consequently the analytic model, be capable 
of evaluating alternative (or modified) system designs with 
respect to a fixed set of mission models and variables. To 
whatever extent the analytic model presupposes system design 
configurations or characteristics, the model is not able to 
evaluate alternative ensigns that are not within these con- 
straints, and hence it may not provide a basis for compari- 
son or optimization. For example, if the analytic model is 
built in terms of a given system-design configuration, other 
design configurations nay be inequitably treated if subjected 
to the same analysis. 



2) Usefulness throughout the system life cycle - The analytic 
model should be one that can be used throughout the system 
life cycle. In the early stages of the cycle, relatively 
few data are available on the statistical or performance 
capability of the system, and a substantial number of assump- 
tions must be made to permit the analysis. As the life cycle 
progresses through design, development, test, and implementa- 
tion, additional design and sample test data ordinarily become 
available. The analytic model, therefore, should be designed 
to accomnodate these changes in inputs, and yield successive 
systems performance effectiveness predictions throughout the 
life cycle, with increased confidence in the results* 

3) Realism in the analytic assumptions - The physical and mathe- 
matical assumptions on which the model is founded must be 
realistic with respect to the expected characteristics of the 
mission and system operations. Ihere is a great temptation 
to construct analytic models based more on mathematical ele- 
gance than on realism. 

4) Tractability of the evaluation - For the model to be usable, 
it must give numerical answers when exercised. This implies 
the model must be quantitative even in the face of limited 
data and it must be amenable to computation. Clearly, this 
model characteristic must be traded off against the character- 
istic of realism. The art of modeling consists, in large 
measure, of establishing this balance. 


C. SELECTING AN EFFECTIVENESS MODEL 


There appear to be three fundamental classes of considerations 
that enter into the se 1 action of an appropriate effectiveness 
model-- the outputs required for system management and optimiza- 
tion, the nature of the systems to be analyzed, and the mission 
characteristics to be employed. 


1. Output C9HBjtf.,SMtigqg 

The definitions of the variables, requirements, and decision 
criteria influence the selection of an appropriate effectiveness 
model. The following questions are typical of those that must 
be answered: 


39 



1 ) 


V. * 




Can the sys teirror iented performance variables be identified 
with specific hardware, or are they more closely tied to 
overall system behavior, including software? 

2) Was an iterative methodology employed to establish the re- 
quirements and decision criteria? (The requirements on the 
model themselves couui change during the iterative procedure, 
and these changes must be incorporated.) 

3) Is there one principal performance variable ;hat corresponds 
to one principal system function, or is the system called 
upon to do many things? 

4) Will the utility and tradeoff data permit the results of 
effectiveness analysis to be expressed in terms of discrete 
quantities, or will probability distributions be required to 
describe systems performance effectiveness adequately? 

5) Are the variables binary (success/f ailu^e) or multivalued? 

2 . System Considerations 

System considerations concerning the choice of an effectiveness 
model have their greatest effect on the statistical and logical 
assumptions that underlie the model. In a given system, it may 
be uniquely possible to identify subsystems with their corres- 
ponding functions, and in such a case the effectiveness evalua- 
tion is simplified. On the other hand, it interaction of sub- 
system functions is expected, particularly with degraded modes 
of operation, the model must incorporate this flexibility ot 
interaction. Additionally, the analytic model often incorporates 
assumptions concerning the statistical behavior of the system. 
These assumptions may be valid for the system in question, and 
they may be consistent with the available data. Finally, the 
scope and complexity of the system must be considered. The 
delicate balance between tractabilit.y and realism discussed 
above must be resolved in terms of anticipated system size (size 
being expressed in such terms as the number of components). 

3. Mission Considerations 

In addition to mission effects, described in Subsection 1, a 
series of representative mission profiles also must be examined 
as part of the model-selection process. 
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The results of the studies discussed elsewhere In this report 
are closely involved in this examination. For example, is the 
system operating in a steady-state environment, or are the 
missions short compared with other statistical time parameters? 

In the former case, an equilibrium or steady-state model may be 
employed. In the latter case, a mission-sensitive model in 
whole or in part is required. 

Again, is the mission function carried out over a time segment, 
or is a point mission involved? Are there one or several critical 
mission segments? Do the requirements and decision criteria for 
systems performance effectiveness change with mission mode? Do 
the reliability and maintainability characteristics of the sub- 
systems change as a function of a mission segment? 

a. Mission Analysis (Ref 3) - Before analyzing a well-defined 
system, let alone developing a new one, it is necessary to know 
what the system is supposed to do, i.e., what missions it must 
perform. It is relatively easy to establish performance envelopes 
for various subsystems that, in turn, enable the system to per- 
form one task in one environment. The problem, however, becomes 
much more difficult if one must consider many tasks under many 
environments. 

One scheme often used is to develop figures of merit. This 
scheme weights the effectiveness figure for each task by the 
frequency with which the system may be called upon to perform 
each task. However, systems are developed to satisfy specific 
mission requirements that have been formulated on the basis of 
specific tools. The best system selected in accordance with 
such a scheme may not, therefore, be capable . responding to a 
specific parameter value that of itself may be extremely serious, 
but also may occur very often. Thus, a system may not be satis- 
factory from the standpoint of a specific subtask. 

It is possible, howe -er, to alter the method by weighting the 
parameter by their severity and expected frequency of occurence, 
and thus design the system for some other weighted average of 
values. However, this does not solve the problem either, be- 
cause optimizing an answer to any average value does not optimize 
the answer to each particular value. Perhaps the solution is to 
develop a procedure to optimize the effectiveness of answering a 
suitable, chosen, average that is subject to the achievement of 
a given effectiveness figure against each specific value. 
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On one hand, it makes little sense to speak about the average 
effectiveness, or the average environment. On the other hand, 
one cannot optimize with respect to a single mission unless the 
system has only one task to perforin. Such a procedure, therefore, 
leads to all the difficulties associated with suboptimization, 
which results when one tries to optimize a system by optimizing 
each subsystem. 

b. Figure of Merit - Perhaps the difficulty associated with the 
formulation of an appropriate figure of merit can be best ex- 
plained by a discussion of the analogous problem encountered 
with the parameters of a frequency distribution. For example, 
with a distribution a population can be charaterized by its mean; 
but this does not indicate the variability about this mean. A 
measure of variability, called the standard deviation can also 

oe added to this characterization. 

Yet there will be other properties of the population that are not 
pictured by any of these characterizations, e.g., the lack of 
symmetry. If the 10th and 90th percentiles are also given, how- 
ever, a more complete picture of the population begins to take 
shape. Nevertheless, no finite set of parameters can ever com- 
pletely describe a real population or its frequency distribution. 

Similarly, if one wants to know the system-effectiveness figures 
in all situations, something analogous to the frequency distri- 
bution is needed. Although there may be a figure of merit anal- 
ogous to the mean in the frequency-distribution example, it can 
never give all the information about the system. 

c. Degraded Performance - At the component level, degradation 
can be thought of as measured by the number of failed components. 
At the system level, however, degraded performance may refer to 
the probability of performing the mission. For example, the 
system might be designed to be capable of performing its mission 
957c of the time in :-ne environment. In another environment, how- 
ever, it may have only a 90Vo capability, and this may be consi- 
dered degraded performance. 

On the other hand, consider a radar-weapons system. Its design 
performance consists of being able to pick up an object at a 
certain distance, and then being able to assign appropriate 
weapons once the object has been correctly classified. A proba- 
bility is associated with each subsystem performance and, hence, 
also with the system's performance. If the probability asso- 
ciated with any subsystem is reduced, however, the probability 
of system performance will also be reduced; this, too, can be 
considered degraded performance. 
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Models of degraded performance can also be modified so that they 
are time-variant. There are, moreover, many other possible defi- 
nitions of degraded performance. The one to use, of course, is 
the one that is useful in assessing a system. Much current work 
is misunderstood because one group does not use the same concept 
of system degradation as another. 

d. Human Factors - Concern for human factors falls into three 
major areas—life support, personnel and training, and human 
engineering. It is the goal of life support to maintain and 
protect the human by controlling his environment; the goal of 
personnel and training is to select, train, and assign the human 
for operational tasks; and human engineering provides the design 
engineer with the basis for the most effective use of the human 
component of the system. In short, the discipline of human 
factors in systems performance effectiveness requires that the 
man module be considered just as a hardware component— to be 
evaluated for cost, reliability, maintainability, availability, 
and operability. In addition, the man module must be considered 
for trainability. 

To achieve these goals in a disciplined fashion, certain procedures 
must be followed. These procedures are not one-time events to be 
accomplished early in the development phase, but rather are itera- 
tive procedures that must be reviewed and changed where necessary 
just as design is r< iewed and changed during an equipment's de- 
velopment. 


D. ANALYTIC FRAME WORKS FOR EFFECTIVENESS MODELS 


The development of a model that satisfied the conditions cited 
in the preceding section is at best a complicated task. However, 
even under the assumption that such a model is realizable, its 
range of application without some types of modification would be 
restricted. This is due to the nature of the requirements, di- 
verse operating conditions, and use factors that generally are 
an integral part of the specific system. To help solve this 
problem, an approach that uses a system effectiveness framework 
has been developed. In this approach, the basic system perform- 
ance effectiveness elements remain constant for different system 
missions and use functions, although the more detailed factors 
underlying the basic elements are subject to change, depending 
on the particular problem analyzed. 
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Several systems performance effectiveness models have been de- 
veloped. Table 1 lists equations for the more general models 
used. All these equations concern systems performance effec- 
tiveness, but each approaches the subject in a different manner, 
reflecting the needs of the individual user. 

The following general equations are derived (Ref 4): 

E s • e a= e - 

£(F,A,U) - f(P c , P t )*£(A,D,C). 

Note that properly constructed models of the same system carrying 
out the same mission will give the same evaluation and may even 
be mathematically identical. The basic equations given in Table 
1 can only be used for simple systems in simple missions, even 
if the equations are assumed to be in matrix form. 

Several systems performance effectiveness models are given below. 
Emphasis has been placed on describing the framework of each 
model rather than on providing a detailed description. 

1 . The Effectiveness Model (Ref 5) 

The first term, performance (P), in the effectiveness model (PAU) 
can be expressed within several frames of reference. In the 
single-mission system, the expression is derived from a variety 
of measurements, e.g., area de&ci.cyed, tons of cargo or number 
of passengers delivered, emitters located and identified. Two 
important conditons apply: (1) the measurement standard used 

must be applicable to the parameter used to determine the per- 
formance level, and (2) the answer derived from exercising the 
expression must be used with caution because, with other than 
extremely simple systems, the achieved performance capability 
is almost always less than the theoretical performance capability. 
This circumstance occurs because the design-optimization process 
requires that some tradeoffs be made to achieve optimization of 
the overall system. As a result, even for the relatively simple, 
single-mission system, P is expressed as an index representing 
the ratio of the achieved performance level to the theoretical 
desired level. In essence, it is a figure of merit even under 
the assumption of absolute availability and absolute use. 
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TITLE EQUATION TERM EXPLANATION OF TERMS 
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aggregated costs of operating 
and maintaining the system 
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In the case of the muitimission system, consideration must also 
be given to the interaction of two judgments. The first com- 
prises the assignment of weighting (importance) factors to the 
several mission modes of the system in such a way that their sum 
is 1.0. The second comprises the determination of the fraction 
of the system’s total mission time that will be devoted to each 
of the several mission modes. 

It is in the muitimission system that the compelling reason for 
using indexes becomes most apparent. Many such systems have 
completely disparate standards for measuring the performance of 
their various mission modes. A comparison or aggregation of per- 
formance indexes that use different measurement standards cannot 
be attempted validly. For example, tons of cargo delivered, area 
destroyed, personnel transported, and enemy radar sites located 
and identified cannot logically be compared or aggregated . 

The second term, availability (A), is more complex than the 
first. Overall availability is relatively easy to measure, but 
separating the overall value into factors of reliability, main- 
tainability, operability, and supportability remains a difficult 
task— particularly in regard to prediction of the effect of up- 
time or downtime. 

The third systems performance effectiveness term, utilization 
(U), account*.* for factors that are introduced by the tactical, 
functional, logistical, and environoiental use of the system; all 
four are a function of the operational doctrine of the system. 

Utilization factors represent the degradation in system perform- 
ance caused by mission conditions. The following are some ex- 
amples : 

1) Loss of accuracy; 

2) Increase in part failure rate due to high ambient temperature; 

3) Reduction in repair-part availability due to remoteness of 
location from supply depot; 

4) Infrequent use of search radar for security reasons. 

The utilization factors, except for analytic exercise of the 
model, are relatively constant. However, the assigned values 
will change whenever operational goals and criteria are modified 
in the proceas of achieving consonance between them and technical 
goala and criteria. 
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The real significance of the utilization factor - * lies in their 
ability to be varied in both sensitivity and tradeoff analyses 
{ for optimizing the entire system and its use. The systems per- 

t formance effectiveness model thus becomes a tool Tor bringing 

| operational anu technical goals and criteria into agreement with 

* each other. 
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If the goals and criteria are not in agreement, technical managers 
can use the models to demonstrate to their operational counter- 
parts the desirability of changing the operational goals and cri- 
teria. In such a demonstration, the utilization factors are 
varied to show the impact of the variances on the index of the 
system’s performance effectiveness. If this exercise does not 
demonstrate the desirability of changing the operational goals 
and criteria, the technical manager can readily understand why 
he must revise his goals and criteria to coincide with those of 
the operational manager. In most cases it will become clear to 
both that revisions are necessary on both sides to achieve an 
optimum system. 

As with the performance and availability indexes, the variances 
in utilization indexes must be evaluated in terms of cost con- 
siderations and overall worth considerations. Each variance of 
a factor affects the other factors and is, in turn, affected by 
variances in other factors. At the same time, each variance of 
a factor has an associated cost that must be considered. Only 
when all factors have been considered in terms of mission accom- 
plishment will true performance effectiveness be achieved for 
the system. 

Mission-Oriented System-Effectiveness Model 

This subsection summarizes the generalized mission-oriented sys- 
tem-effectiveness model that was developed by Task Group II of 
WSE1AC.* In the simple case In which the system can only be in 
either a working state or a failed state, the measures of avail- 
ability, dependability, and capability concern the following 
fundamental questions: 


* tttiFgng $VStW> Effectiveness Industry Advisory Count t tec ftlSEIAC). 
flBil R«PPrt of Task Group II. Prediction Measurtaent . AFSC-TR-65-2 . 
System-Effectiveness Division Air Force Systems Coosnand; January 
1965. (AD-458434, 48455, and 45856) 
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1) 1$ the system working at the start of the mission? 

2 ) If the system is working at the start of the mission will it 
continue to work throughout th~ mission? 

3) If the system worked throughout the mission, will it achieve 
mission success? 

Although these questions represent the fundamental approach to 
be used in evaluating effectiveness *.n a mission-oriented basis, 
they are too simplified for purposes of model construction. 
Moreover, as the systems considered become more complex (e.g., 
there are more than two possible system states) such elements as 
degraded modes of operation, multimission requirements, enemy 
countermeasures, and natural environment must also be quantified 
in the model. 

The basic effectiveness model can be divided into two major ele- 
ments--the probability that the system will b^ in a particular 
state at mission-performance time, and the effectiveness of the 
system when it is in that state. Thus, if effectiveness is 
quantified by a probability that the system will successfully 
meet the mission objectives, each term in the product A . £ 
represents the probability that the system will be in a particu- 
lar state, and the corresponding term in the £ vector is the 
effectiveness of the system, given that state. For example, 

E * L • R • £» 

* ^ {P [system is in state i] .P[ mission objectives are 

met, given state i] } . 

For some types of systems and missions, it may be more desirable 
to quantify effectiveness by some performance parameter other 
than a probability. For exanple, the expected miss distance for 
a missile might be a more meaningful performance parameter than 
the probability of * *-* hitting within a specified area. For a 
reconnaissance system, the average amount of usable Information 
might be appropriate. Figures of merit for these forms are 
readily usable by the appropriate quantification of the £ vector. 

The mission model proposed by the WSE1AC Task Croup II is, in 
essence, more a model framew o rk for effectiveness evaluation 
than a directly applicable set of equations. This generality 
is nacessary because the range of posaible systems, missions, 
and depth of analysis precludes the specification of any single 
model. 
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TUe model framework, based on the availability, dependability, 
and capability factors, allows for flexibility in application 
by an appropriate combination of the associated elements. In 
Volume 3 of the Task Group II report, detailed examples are pre- 
sented for an airborne avionics system, an intercontinental mis- 
sile system, a radar surveillance system, and a spacecraft system. 

The level of detail at which an analysis is performed will depend 
on the information and data available an * on the purpose of the 
evaluation. For one study, a mean repair time may be sufficient 
input for the availability evaluation, while for another study 
such factors as queuing theory, spare parts availability, main- 
tenance efficiency, and periodic-checkout procedures may have to 
be incorporated. 

There are still many different areas that will require further 
research. One major problem is to develop improved techniques 
to convert available data into the appropriate vector and matrix 
elements of A, D, and C. Better analytic and computational tech- 
niques are required to incorporate state changes and those asso- 
ciated capabilities that can occur over a continuous interval. 

Such factors as state occupancy times and steady-state behavior 
may be involved in such analyses. Study also is recommended on 
a means to obtain seme measure of "corf idence" in the results of 
the effectiveness evaluation, both in the probabilistic combina- 
tion of estimates and in guiding the decision process associated 
with the evaluation. Computerized analytic and simulation methods 
are needed for complex systems that generate a very large number 
of system states. 

The WSEIAC model frame work, or similar approach, has been ap- 
plied to several systems, and has generally been found to be a 
reasonable method for evaluating effectiveness on a mission- 
oriented basis. Because of the impetus provided by WSEIAC, a 
great deal of research is being sponsored by the military and 
private agencies in order to improve this first effort. 

3. Data Problems 

The quality of the data used to perform calculations during the 
course of a systems performance effectiveness analysis will have 
a significant effect on the accuracy and utility of the results. 
Unfortunately, the mathematical model that describes a system 
configuration and behavior often is far more precise than the 
input data available. If effectiveness values— obtained from 
an exercise of the system model— are used as relative rather 
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than absolute values, the quality of the data is usually found 
to be adequate. As a general rule, such values are satisfactory 
when the analysis is performed to obtain comparisons between 
alternate designs, or to determine the effect of changes on a 
specific configuration. If absolute values are required, however, 
extreme care must be used in selecting the input data, and cau- 
tion should be observed in interpreting the results. 
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APPENDIX B ANALYTIC DERIVATION OF THE AVAILABILITY FUNCTION 


A rather definitive treatment of the rationale and equations 
leading to the derivation and specification of an availability 
function is given in G. H. Sandler's text, System Reliability 
Engineering . Prenctice Hall, 1964. In particular, Chapter A5 
presents several interesting and appropriate variations, such 
as multiple repairmen, series and parallel redundancy, as well 
as n equipment items that have failed. The intent of this 
appendix is to highlight the method for obtaining the basic 
equations for the simplest case of a single equipment system 
and interpret the results in terms of system design approaches. 
Also, the problem of wearout is treated from a design viewpoint, 
and a rather simple reduction to a Markovian Process is illus- 
trated for the assumptions given. 

For the simple single equipment system, we designate two states-- 
State 0 (the system is operating) and State 1 (the system is 
failed and under repair). Now because the conditional prob- 
ability of failure in t, t + dt is dt, and the conditional 
probability of completing a repair in t,t + dt is dt, we have 
the following transition matrix: 

P .r‘- x x i 

» ‘-"i 

The differentia), eijuations describing the stochastic behavior 
of this system can be formed by considering the following: 
the probability that the system is in State 0 at time t + dt 
is derived from the probability that it was in State 0 at time 
t and did not fail in t,t + dt, or that it was in State 1 at 
time t and returned to State 0 in t, t + dt. Thus, we have 

P (t+dt) s P (t) (1-Adt) + ? (t) fi dt + 0 dt. 

o o i 

Similarly, the probability of being in State 1 at time t + dt 
is derived from the probability that the system was in State 0 
at time t and failed in t,t + dt, or it was in State 1 at time 
t, and the repair was not completed in t,t + dt. Therefore, 
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A 


?At + dt) : P (t)Xdt + P. (t)(l -H dt) + 0(dt). 

I o 1 

The term 0(dt) in both equations represents the probability 
of two events taking place in t, t + dt, which is negligible. 

Note that the coefficients of these equations represent the 
rows of the transition matrix. As before, we find the dif- 
ferential equations by defining the limit of the ratio: 

P. (t + dt) - P. (t) 

_± 1 , 

dt 

which yields, 

p'(t) = - XP (t) +u? (t) 

o o 1 

P|(t) r XP o (t) -//P^t) ] (1) 

If we say that at time t r 0 the system was in operation, the 
initial conditions are P q ( 0) = 1,P^(0) = 0, It is also of 
interest to consider the case where we begin when the system is 
down and under repair. In this case, the initial conditions 
are P q (0) s O.P^O) s 1. 

Transforming Equations (1) into Laplace transforms under the 
initial conditions that P q ( 0) * 1,P^(0) s 0 we have, 

sP q (s) - l +XP q (s) - jBP^s) = 0, 
sP.(s) - XP rt (s) +AIP (s) s 0, 

l O I 

and simplifying, 

(s + A)P 0 (s) -/IP 1 («) - 1, 

- \P (*) + (8 + »)?As) s 0. 
o i 

Although the jolution for P (s) and P (s) can be found easily 
in this case, we shall appl^ Cramer's rule because it will be 
useful in later examples. To solve this system of equations, we 
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introduce the determinant D, whose elements are the coefficients 
of P.(s)'s, We also introduce the determinant Q., .i^lch is 
formed by substituting the solution vector for tine i coeffi- 
cient column. Then the solution is P, (s) z D./D. Therefore: 

1 1 -»\ 


P (s) 


and 


0 s +/i 


s L X 

-X s + H 


s + fl 

P (s) ; 

O 

s(s * X+ n ) 


Now the availability function that snail designate at ^.(t) will 
be the inverse transform of P (s), that is, A(t) ; P (s) . 

Solving 0 0 



( 2 ) 


If the system was initially failed, the initial conditions 
are P q ( 0) 2 0,P^(0) : 1, and the solutions are 


A(t) . P (t) = 


and 


l* + \ 


X 


-(X + //)t 


{l - A(t)U p (t) L 

{ f 1 x + i 






(3) 
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We note that t becomes very large, Equations (2 and (3) be- 
come equivalent. This indicates that after the system has been 
operating for some time, its behavior becomes independent of its 
starting state. 

The availability function A(t) can be interpreted as the prob- 
ability that at any time t the system is in an operating state. 
In many cases, we are interested in the average uptime for some 
definite period. This can be found simply by summing A(t) over 
the time interval of interest and dividing by the total time. 


A(T) = 1 f A(t)dt . 

U 

In this instance we have 


(4) 


a(t - -i - . . e -a+fl> T . 

<A+tf 1 2 T (A+/0 2 t (5) 

If we are interested in the long-term availability of the system 
we can let t— *oo and find, 

A(oo) ..( 1 . ( 6 ) 

This condition is usually referred to as the steady-state 
availability. Essentially, it implies that for a large en- 
semble of equipment items, the process will maintain itself in 
a state of statistical equilibrium. 

It is this analytical expression that is comnonly used to de- 
scribe availability in the form: 

Mean Time Between Failures (MTBF) 
Operational Availability a 

(MTBF) + Mean Time to Repair (KTTR) 

This parameter is a measure of an attribute of the system and, 
as such, is subject to two conditions: 

1) The value that is attainable within the resources available; 

2) The value that is needed to meet the objectives of the mission. 
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The initial design analysis objective is to establish that the 
attainable probability of system availability meets the mission 
needs. The mission requirement depends on the criticality of the 
mission and risk that is acceptable to management. It may be a 
rigorous retirement or flexible, i.e.g., the highest probability 
attainable within a given resource allocation. In either case, 
the analytical problem becomes one of optimizing the two opera- 
tional availability parameters MTBF and MTTR for the operational 
modes of the system. 

The above analysis is for a single item of equipment with con- 
stant repair and failure rates. Several variations of this 
basic approach to more complex situations are of interest. For 
example, consider the problem where the equipment is subjected 
to two types of repair. Thus, when the equipment fails for the 
first time, partial repair is performed, which restores the 
system to operation. However, this increased the probability 
of failure. After the equipment fails for the second time, a 
second repair is performed. Thus, the analytical procedure is 
as follows: 

1) Let A, designate the failure rate when the equipment has 
been through a complete repair; 

2) LetA ? designate the failure rate when the equipment has 

been through a partial repair ( >A 1 >; 

3) Let^l be the repair rate for a partial repair; 

4) Let be the repair rate for a complete repair, i.e,,^ 2 <^. 

Consider the four states of the system as: 

1) State 0 - System is failed and a partial repair is being 

performed; 

2) State 1 - System is failed and a partial repair is being 

performed; 

3) State 2 - System is operating after completion of partial 

repair; 

4) State 3 - System is failed and a complete repair is being 

performed. 
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The transition matrix becomes: 


(1 -k^ 

0 

0 


*•10 0 

(1 -M,) l o 

0 (1 - X 2 ) k 2 


*1 


0 0 (1 - n 2 ) 


The resulting proportion of time spent in an acceptable state. 


A (OO) 


is given by: 


A (do) 


A \ M_\ fio n\ 

Xi X2 + X2 ^2 ^1 +Al X2 ^2 + X2 ^1 ^2 * 


Thus, if A, : L) aud/i. " the above equation reduces to 
Equation (6). 

There are several additional interesting variations of the re- 
pair or maintenance policies that can be considered analytically. 
The available function is given for each of these formulations. 
The respective derivations may be found in System Reliability 
Engineering by G. H. Sandler. 


1) n equipment with r 2 n repalrment: 

A (00) - ( 8 ) 

(X-Ml)" 

2) Two-equipment item series system with two repairman: 

A(oo) s 1M (9) 

3 V + JI 4 A + 2 A 2 

3) n equipment items with R<n repairmen working independently: 
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A ( 00 ) 


(10a) 


n-m-1 

E 

K : 0 


where 


P k s 2L0— {p \ 

k (n-k)! k! ' °* 

Pk -. jl . f«r 

(n-k)! (r) 



(n-k) !k! 


for k< r 


H 


for k>r , 


f' pL fil 

Hr (n ' k):k! 




-1 


(10B) 


(10c) 


(10d) 


0 = 


(10e) 


4) Two-equipment item redundant system operating in parallel: 


A ( 00 ) a ( /£ +ii A 2 ) • 

l*+A l 2 


(U) 


5) Two-equipment item redundant system operating in parallel 
in which it is not possible to service a failed item of 
equipment until the complete system fails: 


A ( 00 ) 


3 /l 2 +/IX2 

3 M 2 + 03A + A 2 


( 12 ) 
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A. 


DESIGN FOR WEAROUT 


The expression of an availability probability in terms of 
variables MTBF and MTTR serves the purpose of establishing 
system objectives that can be assessed for feasibility and 
guidelines for conceptual design. 

The total mission time can be compared to MTBF to assure 
compatibility. If the mission time in the order of 1/10 
of the MTBF, the failure characteristic can be treated as 
an exponential decay function. If this is not the case, 
and the mission time is a larger percentage of the MTBF, 
then the problem of wearout (useful life) enters into the 
problem. Wearout is the case where the failure rate starts 
to increase after the steady-state failure performance has 
been reached, as in Fig. 1. 



Fig. 1 ~ Wearout Characteristic 


The analytical expression for operational availability 
comas into use in the concept and definition phases. In 
the case of wearout, this involves the ■formulation of a 
non-Markovian Process to obtain the steady-state avail- 
ability function. Initially, nonlinear stochastic equa- 
tions result, which, in many cases (but the simplest), 
prove to be Intractable. However, there are many cases in 
which the equipment failure distributions are other than 
axponential, but the transition process can be treated as a 
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Markov Process by increasing the number of states, each 
being described by a constant transition rate* For example, 
consider the single equipment case in which F(t) = 
the gamma distribution (see Fig. 1). It is assumed that 
the enuipment goes through two exponential phases, each of 
length l/\ . Three states are defined: 

1) State 0 - System is operating in the first phase; 

2) State 1 - System is operating in the second phase; 

3) State 2 - System is failed. 

The transition matrix becomes: 

m 

'(1- A) 0 

o (l-X) 

n o <1-/0. 

The steady-state equations are: 

-Ap„ = o 

O l 

AP -AP, : 0 

o 1 

A p i " ^ p 2 = 0 



A(oo) : 2P ; til 

° 2|i+ A 

This simple example illustrates the technique for solving 
these types of problems in terms of the Markov formula- 
tion. In general, the application to a specific situation 
involves the following steps: 
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1) On the mission level, the equipment performance 
characteristics are compared against the mission 
profile to provide an hypothetical operational scenario, 
for the purposes of sizing and to determine critical 
equipment usages. The respective snesitivities in mar- 
gins as to the allocation of failure rates and repair 
rates are assessed to determine overall availability 
requirements and equipment compatibilities; 

2) The identification of a subsequent maintenenac model, 
and repair regimen is delineated in accordance with 
the projected equipment use profile, and provision for 
wearout is made by the specification of a regimen in 
the operational cycle at which wearout results in a 
catastrophic failure; 

3) The analysis procedure includes the formulation of 
either a simulation or, at first, a simple analytical 
model to indicate the appropriate solution to the avail- 
ability function. This implies the estimation of failure 
rates, and the knowledge of the state of the system be- 
fore wearout; 

4) Refinement of the availability function to include the 
effects of interrupted states may be accomplished by 
the specification of successive transition matrices 
and solving for the composite availability function. 

In terms of the design methodology, and its implications 
concerning the systems engineering process, each new state 
corresponds to an alternative solution in terms of specify- 
ing transition probabilities and failure and repair rates. 

The optimal combination of each transition matrix at each 
point in the design process involves a multistage decision 
process, which can be formulated as a dynamic programming 
problem. In a great many Instances intuition and empirical 
experience are substitutes for formal analytical procedures. 
However, where a large number of cost tradeoffs are in- 
volved, and a great number of transition matrices need be 
computed, the automation of the decision process would prove 
useful. 
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f(t) 


B. SINGLE ELEMENT WEAROUT DESIGN FOR MAINTAINED SYSTEMS 


In general, it has been observed that a large class of 
electronic and mechanical equipment and components ex- 
hibit failure distributions similar to those shown in 
Fig. 2 (Ref 1). This distribution can be considered most 
conveniently as the sum of three elementary distributions, 
I • e . , 


f ( t) :: a a f a (t) + + a y f r (t) , 

where 

a Q , and a y * weights for combining the distri- 
bution 30 that f(t) will satisfy 
the conditions of a probability 
density distribution function. For 
the purpose here, a a -r + a y r 1 

f^(t) m failure distribution which dominates 
in period ( 
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Period 1 is called the early .i ure or debugging period 
where high failure rate items are uncovered and defects 
that escaped quality control inspection are found. The 
number of failures is expected to decrease rapidly with 
time in this period. A gamma . tribution may be used to 
approximate the distribution that dominates in this period. 
Figure 3 illustrates the shapes of some common failure dis- 
tributions and related functions. 

Period 2 is called the normal failure or constant failure 
rate (to be more exact, constant hazard rate) period. It 
is the period in which equipment reliability is usually 
considered. In this period, the exponential law of failure 
dominates. 

Period 3 is called the Gaussian or wearout failure period 
where some elements of the equipment fail from wear. The 
normal (Gaussian) distribution may be used to approximate 
the dominating distribution for this period. To the extent 
that such a period is known to exist during the useful life 
of the equipment, it is necessary to establish overhaul and 
maintenance policies. It is, therefore, this level or amount 
of equipment survivability that is the key to providing the 
designer with a methodology for achieving the required per- 
formance. The concept is that there ex to some degree of 
survivaoiiity, p, between 0 aud 1, whict the designer can 
manipulate early in the design cycle to obtain alternative 
and meaningful solutions to the reliability and maintain- 
ability problems, ihis degree of survivability can be 
thought of in two ways; 

1) It is s compilation of experience with respect to simi- 
lar equipment in similar operational environments-- the 
percentage of failures that have been found to occur 

and are reparable. 

2) It is a rough measure of mainUinabilily--def ined by 
spares availability, level of checkout, and system 
repair capability. 

Thus, in cast of a failure, a aubrystem can be repaired with 
a certain probability. Generally, this prubabl’ity will be 
a cotoplex function of the above maintainability factors, 
availability of aparas, the capability of the repairman, and 
the efficiency of the fault Isolation equipment. 
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What follows is neither a very formalistic nor a mathe- 
matically rigorous approach. Rather, the emphasis is on 
how the designer plays his hand through the proper speci- 
fication of the survivability factor, p. In this, he is 
using p as a convenient and useful rule of thumb--a de- 
signer's index-- which, however, can have a powerful effect 
on the design of other elements of the system. The basic 
premise is that the reliability of a maintained system is 
a function of four parameters,^, Q % t, and p. These are 
defined as follows. 

t is the desired operating time for the e^ipment. 

It is assumed that repairs can be accomplished at 
any point within this time- -the model ignores the 
periods during the mission where repair is impossible. 
Examples of such periods are rendezvous operations 
where the crew is fully occupied with the rendezvous 
maneuver; midcourse correction where the crew members 
are strapped to their seats and are unable to move to 
the areas of the spacecraft where repairs may be neces- 
sary; and the descent or ascent phases of the mission. 
Usually, these time periods account only for a very 
small fraction of the total equipment operating time, 
and, in this case, no significant error is introduced 
by ignoring them. 

xfr is the failure rate, the reciprocal of the mean-time- 
between failures, for the system. The widely accepted 
Weibull failure distribution is assumed here. This means 
that it is possible to approximate failures by varying 
the distribution parameters during any of the three time 
periods delineated in Fig. 2. 

fils the repair rate, the reciprocal of the average ti»ie 
to restore the system to operating condition. Depending 
on the equipment design and maintenance concept, the 
repaii-time distribtuion may take many forms. It is 
assumed to be exponentially distributed. The reason 
for this assumption is that since the model is insensi- 
tive to the exact form of the distribution (see kef i), 
a distribution that simplifies the mathematics as ,r.jck 
as possible will be used* 



* 




The factor, p, is the keystone of this approach. It 
defines the probability of wearout, i.e., survivabili ty. 
In effect, p is equivalent in many respects to some of 
the current definitions of maintainability, at least 
with respect to a system in an operating environment. 

The functional relationship of p to the factors pre- 
viously given (spares availability, level of checkout, 
and system repair capability) is a complicated on', but 
since the emphasis here is toward the application n* 
the designers knowledge, experience,** or the intui- 
ti/e judgment of p, it is assumed that each of these 
factors is probabilistically independent. This is not 
entirely accurate. Indeed, much of the work being done 
today in maintainability is directed toward trying to 
establish a more formal relationship between, for ex- 
ample, test equipment and training, in order to struc- 
ture and understand their interaction. 

It is clear that if a piece of equipment is repaired and 
put back into operation, it will have a new failure dis- 
tribution. If a group of equipment of various ages are 
kept operating by means of immediate repair after any 
failure, ultimately this mixed-age population will appear 
to have an exponential failure distribution. 

1. MATHEMATICAL MODEL FOR A SINGLE ELEMENT MAINTAINED SYSTEM 


Figure 4 illustrates a typical single element maintained 
configuration for which the designer desires to achieve a 
given level of survivability. There are many functions 


**If the equipment being designed is similar to other equipment 
already in use, and if the operational environments are compar- 
able, p can be obtained from experience, i.e., the percentage of 
those failures that have occurred over a period of time that were 
found to be repairable. Furthermore, if spares are consumed dur- 
ing a mission, p is really a function of time. However, it is 
assumed that spares consumption is low, thereby allowing the time 
dependence of p to be ignored. 
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OPERATIVE MAINTAINED • 

ELEMENT 

TYPICAL SINGLE ELEMENT MAINTAINED CONFIGURATION 


aboard a spacecraft that can be fulfilled by such a system 
where a backup is not required. For example, the VHF com- 
munication system may very well be without backup, since 
being "down 11 for repairs does not necessarily imply a 
catastrophic event. For these systems one is primarily 
interested in availability; i.e., what percentage of the 
total mission time the communication system is in operat- 
ing condition. The basic assumptions for this model are: 

1) During standby operation or while undergoing repair, 
the failure rate of the element is zero. During op- 
eration, the failure distribution is of the Weibull 
type, i.e., the probability that a failure occurs 
between t and t + dt istffdt, wheret/fis the failure 
rate. 

2) The repair distribution is also of the bull type, 
with repair rate£?. 

3) The probability of survival is p (wearout condition). 

4) Each failure is repairable. 

5) Failures are detected immediately, and repair action 
starts as soon as the failure is discovered. 

At any one time, the system may be in one of three mutually 
exclusive states. 
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State 1 - operating 

State 2 - down and in repair 

State 3 - down and nonrepayable 

Following the usual methods (Ref 2) one can relate the state 
probabilities at time "t" with those a short time "dt" later 
by the equations: 

P^t + dt) : P^t) - tfrp (t)dt + £P 2 (t)dt 

P 2 (t + dt) s pi^P 1 (t)dt + P 2 (t) -i?P 2 (t)dt 

P 3 (t + dt) s P L (t) (1 - p)^dt + P 3 (t) 

These equations can be solved by first obtaining the Laplace 
transform, where P^(o) = 1, and P^o) r and then 

finding the inverse. Thus, the differential transition 
matrix is given by: 



-v p# a-pw 

Q -Q o 

0 0 0 


(14) 


The probability that the system is operational at time t 
is given by 


P L (t) = £ 


-1 


P 2 (t) = 


r scs + q ) 1 

S(S +tfr) (s +0) -sp QUf I 

1 f ( ii + a) 
a-b | 


«“ -«?♦ b)< bt 


where 
a = 


+ {(#-fl) 2 + 4tfrg(l - p) f 1/ 2 

b = -(tf'+fl) - htfr-fl) 2 ♦ 4<frfl(l - p) } 1 /2 

2 


(15) 

(16) 
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The availability of the system, or the average time the 
system is operational, during an interval t, is 



Tiie percentage availability improvement over a similar 
nonmaintained (i.e., nonsurvivable) system is defined as 


| availability of a j ( availability of non- 
y maintained system/ \ maintained system , 

availability of nonmaintained system 

This function is plotted in Fig. 5 for given parametric 
values oftffand Q . The use of this tori by the designer 
is illustrated in the following section. 

2. A DESIGN APPLICATION 

Consider the designer who is in the prototype design stages 
of, say, the VHP comnunication system of a spacecraft. He 
has been told that the availability required of this particu- 
lar system is 0.928. However, now that he has finished his 
prototype design, he does a simple and acceptable analysis 
by means of a parts count, and finds that his availability 
is 0.800. How does he get the 16% improvement to meet the 
requirement? 

There are a few standard approaches he can use. First, he 
can reexamine his circuit design with the aid of a reli- 
ability expert and perhaps uncover some marginal component 
applications. He can, with the aid of a component parts 
expert, examine the parts in the equipment and determine 
whether he has, in fact, used the highest reliability 
components available to him. If, at the conclusion of 
this exercise he has Improved the availability of the 


7 


availability = 
improvement 


X 100 
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AVAILABILITY IMPROVEMENT, (PER CENT) 



t 


Fig. 5 — Availability Improvement of a Single-Element Maintained System 
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system from 0.800 to 0.844, or by about 5.57., he is still 
faced with the problem of achieving an additional 107. im- 
provement in availability. What is his next step? 

If he is guided by pt experience, the designer will 
examine the possibility of incorporating some form of re- 
dundancy into his design. The equations that will give 
him additional availability for a given degree of redun- 
dancy are fairly straightforward. He applies them and 
notes that he can indeed achieve the additional avail- 
ability in this manner. This, of course, means that he 
is not making the entire VHF system redundant but, rather, 
he is making redundant only those parts of the system that 
he has found to be the least reliable and/or most amenable 
to such redundancy. In so doing, however, he has probably 
increased the number of interconnections and als' the system 
weight; and, since this is a space system and weight is ex- 
tremely Important, he may be in trouble. 

This search for the proper level of redundancy is a valid 
one. In many -cases the use of redundancy will solve his 
problem, especially if the system has a relatively short 
desired operating time as compared to its mean-time-between- 
failures (MTBF). However, it is at this point that the de- 
signer, if he has not yet achieved the required design 
availability, frequently shows his lack of appreciation for 
the role of maintainability. He will attempt a wholesale 
circuit redesign in order to achieve his reliability goal, 
rather than examine the logical next step- -enhancing the 
survivability of the system by making it maintainable. 

Making a system maintainable is not easy. For one thing 
the system design must be such that components or sub- 
systems can be removed and replaced and, furthermore, spares 
must be made available for replacement. The designer must 
determine just how much and what kind of repair should be 
included in his system. He must do this in an environment 
of considerable uncertainty, for at this early stage of the 
project he does not know the characteristics of the checkout 
or fault-isolation equipment; he does not know what spares 
he will be allowed, and he has only a very general appre- 
ciation of the maintalnance requirements. 
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But this air of uncertainty has some advantages for the 
designer. It allows him to place additional retirements 
on the system design, because, as the example given below 
will show, he can determine just how much improvement in 
system reliabili ty a given level of survivability will give. 

For the system shown in Fig. 5, let the MTBF be 500 hr, and 
assume the desired operating time is 250 hr (about 11 days). 
The availability of this system is 0.844. This number is 
obtained from: 

A(T) . (1 +^t)e‘^ t 

Suppose the designer's availability goal, arrived at 
through apportionment, is 0.928. This implies that avail- 
ability improvement of at least 10% is required. By re- 
ferring to Fig. 5, we see that for a value of 
t = 0.002 x 250 = 0.5, a p factor of approximately 0.6 
gives an availability improvement of 107.. So a survivability 
of 0.6 will yield the desired boost in availability- the de- 
signer must now find ways of obtaining the 0.6 p factor. 

Let us assume that the designer concludes that the system 
repair capability is 757.. Then, based on his experience 
with fault- isolation systems and knowledge of the fault 
isolation task inherent in his design, and from consultations 
with designers of in-flight test systems, he may reasonably 
require the fault isolation system to be 907. effective in 
locating the faulty part within his system. Then, there re- 
mains the problem of assessing the spares availability that 
can be obtained from a certain allowance of spares weight. 
Fortunately, there are techniques (Ref 3) for solving this 
problem but, for the moment, we will just apply the rule of 
thumb that for electronic equipment more than 90% of the 
failures are attributable to 10% of the total number of 
parts in the equipment. Further, assume that the designer 
can, in fact, stock this 107. of the parts and stay within 
the weight constraints. He can then consider his spares 
availability to be equal to 90%. Multiplying these three 
factors, the designer obtains a value 

p . 0.75 x 0.90 x 0.90 - 0.6075 
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and has achieved the p factor required for the desired de- 
gree of availability improvement. 

It is at this point that the designer should verify that 
this system does indeed meet the availability specificaf ons 
more efficiently (say at a lower overall system weight) than 
that of his other alternatives. 
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APPENDIX C 


RELIABILITY AND MAINTAINABILITY TRADEOFF APPROACH 


This example Illustrates an approach to conducting a Reliability 
(MTBF) and Maintainability (MTTR) tradeoff when given a specified 
Inherent Availability. The desired alternative is bnsed on 
initial and sustaining costs. 

Design Problem 

A requirement exists to design a radar receiver that will meet an 
Inherent Availability of 0.990, a minimum MTBF of 200 hours, and 
a MTTR not to exceed 4.0 hours. Existing design with the use of 
Military Standard parts meets an Availability of 0.97, a MTBF 
cf 130 hours, and a MTTR of 4.64 hours. 

Possible Solutions 

Three different alternative design configurations are being considered 
to satisfy availability requirements: 


Design Configuration 

A 

MTBF* 

MTTR (hr'+ 

1. R - derating of military 
standard parts 
M - modularization and 
automatic testing 

0.990 

200 

2.02 

2. R - design includes high 

reliability parts /components 
M - limited modularization 
and semiautomatic testing 

0.990 

300 

3.03 

3. R - design includes partial 
redundancy 

M - manual testing and 
limited modularization 

0.990 

350 

3.54 


Design Configuration 1 emphasizes the Maintainability aspects in 
the design while Design Configuration 3 emphasizes Reliability 
improvement. The Reliability-Maintainability relationship Is 
derived through the equation! 

Inherent Availability (A,) ■ MTBF 

* mmm 


* Conservative Estimate - Lower 2 cr Bound 
+ Conservative Estimate - Upper 2 T Bound 



The area for reliability-maintainability tradeoff is illustrated 
in Figure 1. 



100 200 300 400 300 600 700 800 900 1000 
MEAN-TIME-BFTWEEN-FAILURE (KTF?)— HR 

REQUIREMENT 

A « 991 

MTBF - 200 HR* KIN. 

MTTR • 4 HR, MAX. 


FIGURE I — Reliability-Maintainability Tradeoff 
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C. Tradeoff Approach 

1) Coat data are developed against each configuration. Such 

data include both initial coats (those associated with design 
and manufacture of the equipment) and sustaining costs (those 
associated with field operations - manpower, test equipment, 
spare parts, facilities, etc). 


2 ) Initial cost factors are aa follows (the values used are 
estimated and not necessarily representative of actual 
experience) . 


I tem 

Existing 

Configuration 

(dollars) 

Configuration 

1 

(dollars) 

Configuration 

2 

(dollars) 

Configuration 

3 

(dollars) 

RDT & E Cost 

300,000 

324,937 

319,125 

321,500 

Reliability 

- 

1,187 

6,625 

16,750 

Maintainability 

1 

23,750 

12,500 

4,750 

i 

Manufacture Cost* 

1 

4,500,000 

| 

4,534,250 

4,524,700 

4,530,250 

Reliability 


1,750 

9,200 

22,500 

Maintainability 

- 

32,500 

15.5U0 

7,750 


* Manufacture Cost is total based on 300 units. 


The following tabulation presents the net increment a 1 value (coat) 
of i'eliabillty and Maintainability in equlpt. ant design as derived 
from the above figures. 



Contlguration 

Configuration 

Configuration 

Item 

l 

2 

3 


(dollars) 

(dollars) 

(dollars) 

Reliability 

2,937 

15,825 

39,250 

Maintainability 

56,250 

28,000 

12,500 

Total 

59,187 

43,825 

51,750 


3) Sustaining cost factors represent estimated coat to support 300 
units for 10 years. 
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SUSTAINING COST FACTORS 
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(2500 parts)! (2605 parts) (2565 parts) (26^0 parts/ $19/Iine itera/year 
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D. 


Referring to the sustaining cost table, a net sustaining cost 
savings Is realized for each proposed design configuration. 

This saving Is derived through the improvement In equipment 
availability, resulting In a reduction in required maintenance 
support. The following computation illustrates the cost savings 
against each design configuration when compared against existing 
design: 

Configuration 1 - $966,700 
Configuration 2 - $997,104 

Configuration 3 - $984, G 16 

4) Subsequent to deriving both initial and sustaining cost factors, 
the net effect is obtained through subtracting the initial 
added costs for Reliability and Maintainability from the overall 
sustaining cost savings: 

Configuration 1 $966,700 - $59,187 *= $907,513 

Configuration 2 $997,104 - $43,825 = $953,279 

Configuration 3 $984,816 - $51,750 « $933,066 


Because the sustaining cost factors are estimated values, an 
uncertainty of 4- 207. in the total costs yields the following 
overall sustaining cost savings: 


+ 207. Configuration 1 
Configuration 2 
Configuration 3 


$759,444 - $59,187 * $700,257 
$795,928.80 - $43,825 * $752,103.80 
$781,182.20 - $51,750 « $729,433.20 


- 207. 


Configuration 1 $1,173,956 - $59,187 « $1,114,769 

Configuration 2 $1,198,279.80 - $43,825 = $1,154,454.80 

Configuration 3 $1,188,448.80 - $51,750 * $1,136,698.80 


Design Decision 


The Intent of this tradeoff is to generate and evaluate the 
alternative Reliability and Maintainability design features 
required to meet a specified Availability. In doing so, the 
basic evaluation criterion is cost. Referring to the above cost 
factors, Configuration 2 satisfies the required equipment Avail- 
ability with maximuu cost savings or minimum initial cost 
expenditure, even under the conditions of a + 20% uncertainty in 
the total estimated costs. This lack of sensitivity indicates 
that the total sustaining cost savings has a broad maximum, over 
which perturbations in such factors as spares, facilities, and 
test equipment have little Influence in changing the decision 
relative to the remaining alternatives. The reason for this is that 




I * 
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i 


t 


1 




81 



Configuration 2, which represents the most cost/effective condition, 
is a conservative position between the two extremes of too little 
reliability (R), and too much modularization (M) and testing. The 
combined effect Is to produce a cost cavings figure of merit based 
on the product of M and R that, as one factor Is increased, the 
other factor decreases In approximately the same proportion. Thus, 
the essential tradeoff (for the same amount of availability) 
emphasizes a design solution that is a compromise and does not 
incorporate one overriding critical cost element that would result 
in a reversal of the sensitivity figures for Configurations 1 or 3. 
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APPENDIX D 


SOME PROBABILITY BACKGROUND - JOINT PROBABILITIES 


In the study of probability theory. It i c shown that for two 
random continuous variables, x and y, which may or may not be 
independent random variables, one can define a joint probability 
density function, f (xy). The important property of this function 
is that if one takes a random sample from the sample space of xy, 
then the probability of finding a value of x that is somewhere in 
the region P and, at the same time, finding a value of y that is in 
in the same region P is given by 



where the integration is made over the region P . 

P 

More specifically, the probability of finding x in the region 


lere tne integration is maae over tne reg 
| xy; x, ye P = Sr f(xy) d x dy 


x^ < x < and, at the same time, finding y in the region 


y x ^ y < y 2 ls 


I xy; Xj < X < x 2 , y 1 < 


X 2 , y 2 


y < y 2 


»■//, 

l y i 


f (xy) d x dy 


Furthermore, if x and y are independent rmdom variables, then the 
joint probability density function f(xy) is simply the product of 
the probability density functions for each of the variables 
Individually. 


In particular, if x and y are assumed to be independent random 
variables, the joint probability density funcTionTor"These 
variables is: 


f(*y) * p x <*) p y (y) 

where p (x) is the probability density function for x and p (y) 
is the probability density function for y. y 
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PROBABILITY OF EVENT Y>* 


Let A be the probabilistic event that the random variable y 
exceeds x. Then the probability for the occurrence of event A 
is the probability that, in any random sample taken from x and y, 
one will find y > x and that x will be found any place at all, 

P | A | * P | xy; y > x, -oo < x < oo | 

To calculate p{ A^ , the joint probability density function 
f(xy) must be integrated over the shaded region P of the x, y plane 
because that area is the region where y > x and where -oo < x < oo. 



This gives: 

P M •// 


p v (*) p v (y) <*y 

x y 




X-**00 yox 


OO 

P x (x) P y (y) dx dy 


B. CALCULATION PROCEDURE 

To evaluate this Integral, perform the y integration first. Then, 
x will appear in the result when the limits are substituted. Then 
perform the x integration. This procedure can be shown in the 
following formula. Let 
r y— OO 

J(x) = I Py(y) dy 

y=x 


Then 

p { A h/ 


X— * OO 


X— * -OO 


P x (x) J(x) dx 


C. 


ALTERNATIVE INTEGRAL 


Alternatively, we could cover the 
integration, 

y— ►oo x°y 

P W -j j 

y— *-oo* / x— OO 


same shaded region by another 

P (x) P v (y) dx dy (7) 

x y 


Again to e 'aluate this integral, perform the x integration first, 
and y will appear as a parameter in the result. Then perform the 
y integration. The procedure can be shown by the following. Let 


I(y) 


Then 


x*y 



oo 


y-» -oo 


P x (x) dx 


p y (y) Ky) dy 


( 8 ) 


(9) 
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n. 


STLDY OF SOME SPECIAL CASES 


To check the validity of these formulae, we shall use them to 
calculate P j A } for some simple cases where the computation is 
not difficult and the results can be checked with intuitive 
expectation, 

1. Case 1 -- Two Nonoverlapping Rectangular Distributions 



P (x) = 
x 


(d-c) 


for c <x <d 
0 otherwise 


r y M 


Using eq (9), we calculate directly that 



for a< y <b 
otherwise 


i (y) 



P x (x) dx 

oo 


and 


P 



/ y— ► oo 

p y (y) Vy)dy 


y— ► -oo 


f 


* < 



i 


for y < c 
for c < y < d 

for y > d 
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But I (y) = 0 for y < c 


and Py(y) = 0 for y < b 
and also b < c. 


Therefore, 



0 as expected. 


t 
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1 


Case 2 — Two Rectangular Distributions, Completely Overlapping 


V*> 



a < c < d * V 




Consider: 


1(4 


lb-a/a^y^b 

p (y) - X 

3 0 otherwise 


P (x) 


i.) 

-cl C^x< 


0 otherwise 


Using Eq (9) we calculate directly t.iatr 


P (x) dx 


x— ► -o© 


0 for y < c 


fe) 


for c < y < d 


1 for y > d 


and by a straightforward calculation, 


x — * oo 

y 


{a} -/ yy> 1(7) dy +$(£$)} 

k. smv* ' 


x — » -oo 

y 


r cial Cage — Identical Diatributiona 

Suppose that d*b and c*a. Then the result above redjces to: 


w-i 


89 



j 

I 


Special Case — Symmetrically Located Distribution*! 


-I 

i 


Suppose that the two rectangular distributions are symmetrically 
located relative to each other. That is, b-d « c-a. Then the 
result for p{a} in Case 2, again, reduces to 

p / a | =4 

Case 3 — Two Rectangular Distributions, Partial Overlapping 



Consider: 


P X (X> 


(d-c) for c < x < < 


0 otherwise 


P y (y) 


/ i \ 

lb- a I for a<y< 




otherwise 


Again, using Eq (9) 


x®y 


x(y) 


/ 


P (x) dx 

X 


x -► -oo 


and oo 

P A 


'/ 

-oo 


y-c 


y < c 
c < y < d 

y >d 


p (y) Ky) 
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or 


w 


1 /b~c\ / b-c\ _ 1 /Length of OverlapX /Length of Ovcrla 

2 te) = 2 l - 1 


( Length ot uveviapx /Length or ovc 
Region Relative to] I Region Relatl 
J Vlength of d-c 


y Length of b-a 


Using the approach described In the preceding section and assuming 
a fixed probability over the tolerance interval, we can obtain 
expressions for the mean values for the two alternate systems x 
and y, and determine the probability that the central -alue of 
x > y. The following figure describes this case. 


x 


y 

8.27 8.78 12-37 13.16 

(a) (c) (b; (d) 


y=oo x= y 

-w ■/ / 

y^ ~oo x*= -oo 


P(y) P(x) dx dy 


evaluatirg x first. 
Integrating by parts 


x < c 
c < x < d 
x > d 


P(x) = 0 


p(,,) '(d^) 
P(x) = 0 


for y 


y < » 

a < y < b 
b < y < d 
y > d 


P(y) - 0 

rM m (eh) 

P(y) - 0 

P(y) « o 
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Now 


x*y 

Uy) * y p ( x ) dx r 

x*= - oo 

y* + oo 

'H-/ s*w* 

J* "OO 


From the evaluation of P(x) and P(y) by parts, the only interval 
in which both are real values other than zero, are b to c 

y-b 

P { A } * j T&cTTFV dy " {2 <g i ) - C (a-c) } 
rc 


An evaluation of thla expression using the values In the figure 

p |aI - 0.35 

It la therefore concluded that because there Is only a 357. chance 
that System x has a larger central value than System y, we must 
treat them as essentially squu*. 
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APPENDIX E LAUNCH- ON- TIME ANALYSES 


POST DELIVERY REQl iREMENTS 


The postdelivery retirements are based on t m> recycles 
during prelaunch operations. Therefore, the probability 
of exceeding 2 recycles is considered in the launch-on- 
time analysis. This includes the following recycle con- 
ditions. 


1) s Probability of the payload surviving prelaurch 

operations with N recycles or less. 

1 r Probability of rhe payload survival , pro launch 
operations with N - 1 recycles or less (allow 
one recycle from launch pad). 


Pq z Probability of no malfunctions in the payload 
during prelaunch and marriage tests during any 
one cycle (can recur) or recycle. 


2 > P N = p o ' (1 - p o) p o * <l - V p o * • 


• • <■ - p »>' p o 


1 - (1 - P 0 ) 


1 


3) For N = 2, P Q : 0.95: 

P N : 1 - (0.05) 3 x 0.999875 


P N1 r 1 - (0.05) - 0.9975 


4) Parametric variations of P„ are presented in Fig. 1. 
The above conditions are used in the following cal- 
culations for launch operations. 


B. LAUNCH PAD OPERATIONS - CONFIGURATION 1 


22-Day Launch Period 
10- Day Turnaround 
With Spare Spacecraft 
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1 * Payload 


Figure 2 presents the timeline showing all possible out- 
comes of the payload resulting in two launches within the 
launch period. Figure 3 presents the corresponding success/ 
failure diagram. Let 

P s the probability of achieving a launch on any one 
attempt (can recur) 


and 


(PLOT)^ r the probability of achieving two launches in 
the launch period 

The probability of achieving two launches because of the 
payload is the sum of the probabilities of the outcome 
shown in Fig. 2 and 3 as follows. 


Outcome No. Probability of Outcome 
2 2 

1 P P 

2 P N 3 P 2 (1 - P) 

3 P N 3 P 2 (1 - P) 

4 P N 3 P 2 (1 - P) 2 P N . L P Q 

5 P N 3 P 2 (1 - P) 2 P N _ X P Q 

]jT* (PLOT) f P N 2 P 2 | 1 + 2 P n (1 - P) + 2P n P N-1 P q (1 - P) 2 


Let N = 2, P Q = 0.95, and P « 0.95. 
Then 


P N r 0.999875 
and 

P N1 = 0.9975 


See Section A 
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NOTE; 22-Day Launch Period, 

10-Day Turnaround, 

With Spare Launch Vehicle, and Payload (LP) 



Figure z — Timeline for Configuration 1, Payload and Launch Vehicle 





















(PLOT) 2 s (0.999875) 2 (0.95) 2 1 + 2(0.999875) (0.05) + 

2(0.999875) (0.9975) 

(0.95) (0.0025) 

(PL0T) 2 = 0.996765 


2. Launch Vehicle 


Figures 2 and 3 also apply to the launch vehicle, except 
that there is no limitation on the number of recycles 
(P N and P N _ 1 do not apply). 

Outcome No. Probability of Outcome 


1 

2 

3 

4 


P (1 - P) 


P (1 - P) 

2 2 

p (i - pr p r 


2 2 
p (i - p/ p f 


P‘ { 1 + 2(1 - P) + 2P q (1 - p) 2 J. 


(PL0T) 2 . P 2 | 
for P r 0.95, P Q s 0.95 
(PL0T) 2 : 0.997037 


3. All Other Causes 

Let P a probability of launching on any one attempt (can recur) 
a number of attempts required for the first launch 
N 2 • number of attempts available for the second launch 
(PL 0 T >2 : probability of achieving 2 launches in the launch period 
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The number of attempts available for the second launch depends 
on the number of attempts used for the first launch. There- 
fore, '-he probability of achieving the second launch in 
attempts or less depends on the probability of the first launch 
being achieved in exactly attempts. 



P N r P(1 - P) N r l 


P N r 1 - (1 - P) N 2 
2 



where = total attempts available. 

The probability of launching two on time is the sum of the 
probabilities of all outcomes 


( PLOT) 2 = £ P » 

The calculations are presented in Table 1 for P - 0.90. 
From Table 1 

(PL0T) 2 = 0.999540 


Calculations for Probability of Two Launches, All Other Causes 




Results - Configuration #1 


22-Day Launch Period 


10-Day Turnarou^ (launch- to-launch) 

With both Spare Launch Vehicle and Payload 


Probability of 
Launch-on-Time 


Launch-on-Time 

Risk 


Payload 


0.996765 


0.003235 


Launch Vehicle 


0.997037 


0.002963 


All Other Causes 


0.999540 


0.000460 






c. 


Launch Pad Operations, Configuration 2 


30-Day Launch Period 
16-Day Turnaround 

No Scare Vehicle with Spare Payload 


1 . Payload 

Figure 4 presents the timeline for all outcomes of the payload 
resulting in two launches. Figure 5 presents tho corresponding 
success/failure diagram. Calculations are as follows. 

Outcome Probability of Outcome 

2 2 

1 p P 

N 

2 P 2 P N J (1 - P) 

3 P 2 P N 3 (1 - P) 

2 3 2 

4 P P P p n - Pl 

N N-l O' ' 

(PL0T) 2 - P 2 P N 2 | l + 2P N (1 - P) + P N P N _ 1 P 0 (1 - P) 2 | 

For P 0 - 0.95, P - 0.95, P N - 0.999875, P - 0.9975, 


(PL0T) 2 - 0.994627 
2. Launch Vehicle 

Figure 6 presents the timeline and the success/failure diagram 
for the launch vehicle using Configuration 2 data. Calculations 
are as follows. 
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NOTE: 30-Day Launch Period 

16-Day Turnaround 

No Spare Launch Vehicle with Spare Payload (P) 
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Figure 4 — Timeline for Configuration 2 , Payload 
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gure 6 “ Timeline and Success/Failure Diagram, Launch Vehicle 























Outcome 


P robability of Outcome 
F 2 


1 

2 p2 { p 0 (1 " P) } 

(PLOT ) 2 - P 2 | 1 + P Q (1 - P)} 

For P « 0.95 and P Q - 0.95, 

(PL0T) 2 - 0.945369 


3. All Other Causea 

Table 2 shove the number of launches available for the second 
launch as a function of the number of attempts used for the first 
launch and presents the calculations. From Table 2, 

(FIOT) 2 * 0.999945 

4. Results, Configuration 2 

30-Day Launch Period 
16-Day Turnaround 

No Spare Launch Vehicle vlth Spare Payload 



Probability of 
Launch- on- Time 

Launch- on-T 1 m 
R isk 

Payload 

0.994627 

0.005373 

Launch Vehicle 

0.945369 

0.054631 

All Other Causea 

0.999945 

0.000055 

TOTAL 

0.94036 

0.059762 
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Table 2 

Calculation* for Probability of Two Launches, All Other Causes, Configuratlo 




Launch Pad Operations, Configuration 3 


30-Day Launch Period 
10-Day Turnaround 

No Spare Launch Vehicle with Spare Payload 


Payload 

Figure 7 presents the tiir line for Configuration 3. Figure 8 
presents the corresponding success/failure diagram. The 
calculations are as follows. 

Outcome No. Probability of Outcome 


2 P 2 P n 3 (1 - P) 

2 3 2 

3 P P (P P ) (1 - P) 

N vr N-l O' ' 

4 P 2 P n 3 (1 - P) 

2 3 2 

5 P V < P N-1 P 0> (1 - P > 

6 p2 P B 3 < P N-1 P 0> (1 ' P)2 

7 p2 P N 3 < P »-1 V 2 11 - P > 3 

8 82 P N 3 < P N-l P 0 )2 - P > 3 
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NOTE: 30-Day Launch Period 





Figure 7 — Timeline for Configuration 3, Payload 
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Launch 1 



^PLOT) 2 = ? 2 P v . 2 | 1 + 2 P K (1 - P) + 3 P, ; ( ._ x ? c ) 
+ 2 p s (P>1 p >/ a - p) 3 } 

For P = 0.95, P v * 0.999875, P x = 0.9975, and P c = 
< PLOT) 2 = 0.999104 


Launch Vehicle 

Figure 9 presents the timeline for Configuration 3. 
presents the corresponding success 'failure diagram, 
are as follows. 


Outcome No. Probability of Outcome 


P P Q (1 - P) 


P P Q (1 - P) 


2 2 2 

p p 0 z a - *y 


2 2 2 

p p 0 ^ a - ?y 


2 3 3 

p p 0 j (i - 


( PLOT > 2 - P 2 { 1 + 2P Q (1 - P) + 2P 0 2 a - P) 2 + P c 


For P « 0.95 and P Q * 0.95, 


a - ?)" 


0.95, 


Figure 10 
Calculations 


3 a - p) 3 | 


(PL0T) 2 « 0.992407 
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Figure 9 — Timeline for Configuration 3, Launch Vehicle 



























3 


All Other Causes 


Table 3 shows the number of launch attempts available for the 
second launch as a function of the number used for the first 
launch. From Table 3, 

(PL0T) 2 * 0.999999 

4. Results, Current Baseline 

30-Day Launch Period 
10-Day Turnaround 

No Spare Launch Vehicle with Spare Payload 



Probability of 
Launch-on-Tlme 

Launch-on-Time 

Risk 

Payload 

0.999104 

0.000896 

Launch Vehicle 

0.992407 

0.007593 

All Other Causes 

0.999999 

0.0000001 

TOTAL 

0.991516 

0.008484 
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Calculation for All Other Causes 












APPEN DIX F MJNTE CARL O SIMU LATI ON MODEL 

DEVELOPMENT OF STORAGE MATRIX 




UNTESTABLE 
PARTS a 

TESTABLE 
PARTS b 



1 

1 

1 

BOTH 





GOOD 


2 

1 

0 

a 





GOOD 

w 





Se 

u 

3 

0 

I 

b 

CO 




GOOD 


4 

0 

0 

NEITHER 





GOOD 


Rj (UNTESTABLE PARTS) = £'^ Ta 
R 2 (TESTABLE PARTS) *= 




FINISH IN STATE 



1 

2 

3 

4 

w 

H 

B 

B| 


«HSI 

i-E 

< 

H 

CO 

2 

<n 

HB 

R.s . 

1 € -0t« 

0 

BBM 

*-» 

§ 

cs 

6 

0 

R 2 € ‘-£Tb 

fsassm 

ft 

a 

0 

0 

0 

i 


y- STORAGE FAILURE RATE 


0 > UNTESTABLE PARTS 
£ - TESTABLE PARTS 
T - TIME OF STORAGE 
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START IN STATE 


DEVELOPMENT OF TEST MATRIX 


D «= PROBABILITY OF NOT CAUSING A 
DETECTABLE FAILURE 

N - PROBABILITY OF NOT CAUSING AN 
UNDETECTABLE FAILURE 

P « PROBABILITY OF DETECTING A 
DETECTABLE FAILURE 



FINISH IN STATE 


1 

GOOD 1 

2 

DETECTABLE 

3 

UNDETECTABLE 

4 

DET. & UNDET. 

1^ 

GOOD 

DN 

(l-D) N 

(1-K) D 

u-£) * 

1-D-N + ND 

2 

DETECT. 

DNP 

N(l-FD) 

PD(l-N) 

(1-Z)' * 

1-N-DP-PPN 

3 

UNDET. 

0 

0 

D 

l-D 

4 

DET. & 
UNDET. 

0 

0 

PD 

1 

1-PD 


EXAMPLES OF MATRIX CONSTRUCTION 


START IN SThTE 1, FINISH IN STATE 3, OR 
r 30D AT START, UNDETECTABLE FAILURE AT FINISH 


D 

l-N 

STATE 

* STATE 1 

‘ ,D 

) 


DO NOT CAUSE 
A DET. FAILITvE 


CAUSE AN 
UNDET. FAILURE 





» D (1-N) 
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START IN STATE 2, FINISH IN STATE 1 OR 
DETECTABLE FAILURE AT START, GOOD AT FINISH. 


STATE 2 P N D 



* PND 

START IN STATE 2, FINISH IN STATE 2 OR 
DETECTABLE FAILURE AT START, DETECTABLE 
FAILURE AT FINISH. 



P N 1-D 

- (l-P)N + PN(l-D) - N(l-PD) 


NOTE: SINCE ALL ROW SUMS IN A STOCHASTIC MATRIX - 1, 

THE VALUE OF THE ENTRY IN COLUMN A OF EACH ROW 
IS CALCULATED BY SUBTRACTING THE SUM OF ENTRIES 
1, 2, and 3 OF EACH ROW FROM ONE. 
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FAILURE RATE 0.1x10 



ACCUMULATED TIME - MONTHS 
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